Gentoo Archives: gentoo-security

From: Miguel Sousa Filipe <miguel.filipe@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] mount noexec and ro
Date: Thu, 07 Dec 2006 17:50:54
Message-Id: f058a9c30612070944rb37aa44m468057ed5d186832@mail.gmail.com
In Reply to: Re: [gentoo-security] mount noexec and ro by Joe Knall
1 Hi,
2
3
4 On 11/4/06, Joe Knall <joe.knall@×××.net> wrote:
5 > On Sat, 2006-11-04 16:00 Paul de Vrieze wrote:
6 > > On Saturday 04 November 2006 12:11, Joe Knall wrote:
7 > > > can/does mounting a partition with noexec, ro etc. provide
8 > > > additional security or are those limitations easy to circumvent?
9 > > >
10 > > > Example: webserver running chrooted
11 > > > all libs and executables (apache, lib, usr ...) on read only
12 > > > mounted partition /srv/www, data dirs (logs, htdocs ...) on
13 > > > partition /srv/www/data mounted with noexec (but rw of course), no
14 > > > cgi needed.
15 > > > Server is started with "chroot /srv/www /apache/bin/httpd -k
16 > > > start".
17 > >
18 > > Besides this, you must also add nodev to prevent those kinds of
19 > > circumventions
20 > >
21 > > Paul
22 >
23 > correct, it's atually like this
24 > /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr)
25 > /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr)
26 >
27
28
29 I cannot have any kind of a intrepreted language supported in those
30 environments..
31 or a simple perl/php/lisp "data" file can circunvent those attacks!
32
33 > but I need a /dev, currently data/dev with null and urandom there,
34 > writeable and not nodev (could as well be a separate partition).
35 > Do you think this turns all the rest in vain?
36 >
37 > Joe
38 > --
39 > gentoo-security@g.o mailing list
40 >
41 >
42
43
44 --
45 Miguel Sousa Filipe
46 --
47 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] mount noexec and ro Joe Knall <joe.knall@×××.net>