Gentoo Archives: gentoo-security

From: ascii <ascii@××××××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] mount noexec and ro
Date: Sat, 09 Dec 2006 03:27:07
Message-Id: 20061209031915.506559@host216-188.pool8250.interbusiness.it
In Reply to: Re: [gentoo-security] mount noexec and ro by Joe Knall
Joe Knall wrote:
> When I get you right, you mean the P in Lamp makes these limitations > (ro, noexec, nodev, chroot ...) nonsense.
only the noexec is defeated from scripts, ro nodev chrooting are obviously safe from this ..but.. noexec on linux is futile since you could use /lib/ld-linux.so to exec bins on a noexec mount point if you make ld-linux.so -x then you have to rebuild all binaries statically linked : ) ..so.. it's better to get some acl/rbac system like grsec+pax and (rsbac or selinux) to get sure things happens right yes, it could be some time expensive to write/adapt the rules to your current system but it worth the effort regards, Francesco 'ascii' Ongaro http://www.ush.it/ -- gentoo-security@g.o mailing list