Hi,
On 11/4/06, Joe Knall <joe.knall@...> wrote:
> On Sat, 2006-11-04 16:00 Paul de Vrieze wrote:
> > On Saturday 04 November 2006 12:11, Joe Knall wrote:
> > > can/does mounting a partition with noexec, ro etc. provide
> > > additional security or are those limitations easy to circumvent?
> > >
> > > Example: webserver running chrooted
> > > all libs and executables (apache, lib, usr ...) on read only
> > > mounted partition /srv/www, data dirs (logs, htdocs ...) on
> > > partition /srv/www/data mounted with noexec (but rw of course), no
> > > cgi needed.
> > > Server is started with "chroot /srv/www /apache/bin/httpd -k
> > > start".
> >
> > Besides this, you must also add nodev to prevent those kinds of
> > circumventions
> >
> > Paul
>
> correct, it's atually like this
> /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr)
> /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr)
>
I cannot have any kind of a intrepreted language supported in those
environments..
or a simple perl/php/lisp "data" file can circunvent those attacks!
> but I need a /dev, currently data/dev with null and urandom there,
> writeable and not nodev (could as well be a separate partition).
> Do you think this turns all the rest in vain?
>
> Joe
> --
> gentoo-security@g.o mailing list
>
>
--
Miguel Sousa Filipe
--
gentoo-security@g.o mailing list
|
