1 |
Joe Knall wrote: |
2 |
> When I get you right, you mean the P in Lamp makes these limitations |
3 |
> (ro, noexec, nodev, chroot ...) nonsense. |
4 |
|
5 |
only the noexec is defeated from scripts, ro nodev chrooting are |
6 |
obviously safe from this |
7 |
|
8 |
..but.. |
9 |
|
10 |
noexec on linux is futile since you could use /lib/ld-linux.so to exec |
11 |
bins on a noexec mount point |
12 |
|
13 |
if you make ld-linux.so -x then you have to rebuild all binaries |
14 |
statically linked : ) |
15 |
|
16 |
..so.. |
17 |
|
18 |
it's better to get some acl/rbac system like grsec+pax and (rsbac or |
19 |
selinux) to get sure things happens right |
20 |
|
21 |
yes, it could be some time expensive to write/adapt the rules to your |
22 |
current system but it worth the effort |
23 |
|
24 |
regards, |
25 |
Francesco 'ascii' Ongaro |
26 |
http://www.ush.it/ |
27 |
-- |
28 |
gentoo-security@g.o mailing list |