Gentoo Archives: gentoo-security

From: Miguel Sousa Filipe <miguel.filipe@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] mount noexec and ro
Date: Thu, 07 Dec 2006 17:50:54
Message-Id: f058a9c30612070944rb37aa44m468057ed5d186832@mail.gmail.com
In Reply to: Re: [gentoo-security] mount noexec and ro by Joe Knall
Hi,


On 11/4/06, Joe Knall <joe.knall@×××.net> wrote:
> On Sat, 2006-11-04 16:00 Paul de Vrieze wrote: > > On Saturday 04 November 2006 12:11, Joe Knall wrote: > > > can/does mounting a partition with noexec, ro etc. provide > > > additional security or are those limitations easy to circumvent? > > > > > > Example: webserver running chrooted > > > all libs and executables (apache, lib, usr ...) on read only > > > mounted partition /srv/www, data dirs (logs, htdocs ...) on > > > partition /srv/www/data mounted with noexec (but rw of course), no > > > cgi needed. > > > Server is started with "chroot /srv/www /apache/bin/httpd -k > > > start". > > > > Besides this, you must also add nodev to prevent those kinds of > > circumventions > > > > Paul > > correct, it's atually like this > /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr) > /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr) >
I cannot have any kind of a intrepreted language supported in those environments.. or a simple perl/php/lisp "data" file can circunvent those attacks!
> but I need a /dev, currently data/dev with null and urandom there, > writeable and not nodev (could as well be a separate partition). > Do you think this turns all the rest in vain? > > Joe > -- > gentoo-security@g.o mailing list > >
-- Miguel Sousa Filipe -- gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] mount noexec and ro Joe Knall <joe.knall@×××.net>