1 |
On Thu, 2006-12-07 18:44 Miguel Sousa Filipe wrote: |
2 |
> Hi, |
3 |
> |
4 |
> On 11/4/06, Joe Knall <joe.knall@×××.net> wrote: |
5 |
> > On Sat, 2006-11-04 16:00 Paul de Vrieze wrote: |
6 |
> > > On Saturday 04 November 2006 12:11, Joe Knall wrote: |
7 |
> > > > can/does mounting a partition with noexec, ro etc. provide |
8 |
> > > > additional security or are those limitations easy to |
9 |
> > > > circumvent? |
10 |
> > > > |
11 |
> > > > Example: webserver running chrooted |
12 |
> > > > all libs and executables (apache, lib, usr ...) on read only |
13 |
> > > > mounted partition /srv/www, data dirs (logs, htdocs ...) on |
14 |
> > > > partition /srv/www/data mounted with noexec (but rw of course), |
15 |
> > > > no cgi needed. |
16 |
> > > > Server is started with "chroot /srv/www /apache/bin/httpd -k |
17 |
> > > > start". |
18 |
> > > |
19 |
> > > Besides this, you must also add nodev to prevent those kinds of |
20 |
> > > circumventions |
21 |
> > > |
22 |
> > > Paul |
23 |
> > |
24 |
> > correct, it's atually like this |
25 |
> > /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr) |
26 |
> > /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr) |
27 |
> |
28 |
> I cannot have any kind of a intrepreted language supported in those |
29 |
> environments.. |
30 |
> or a simple perl/php/lisp "data" file can circunvent those attacks! |
31 |
|
32 |
When I get you right, you mean the P in Lamp makes these limitations |
33 |
(ro, noexec, nodev, chroot ...) nonsense. |
34 |
Ok, what makes you think so? |
35 |
How do you do it (get a shell, root access, hijack the box ...)? |
36 |
What's a better approach to prevent it? |
37 |
|
38 |
Joe |
39 |
|
40 |
-- |
41 |
gentoo-security@g.o mailing list |