Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Joe Knall <joe.knall@...>
Subject: Re: mount noexec and ro
Date: Sat, 9 Dec 2006 03:34:31 +0100
On Thu, 2006-12-07 18:44 Miguel Sousa Filipe wrote:
> Hi,
>
> On 11/4/06, Joe Knall <joe.knall@...> wrote:
> > On Sat, 2006-11-04 16:00 Paul de Vrieze wrote:
> > > On Saturday 04 November 2006 12:11, Joe Knall wrote:
> > > > can/does mounting a partition with noexec, ro etc. provide
> > > > additional security or are those limitations easy to
> > > > circumvent?
> > > >
> > > > Example: webserver running chrooted
> > > > all libs and executables (apache, lib, usr ...) on read only
> > > > mounted partition /srv/www, data dirs (logs, htdocs ...) on
> > > > partition /srv/www/data mounted with noexec (but rw of course),
> > > > no cgi needed.
> > > > Server is started with "chroot /srv/www /apache/bin/httpd -k
> > > > start".
> > >
> > > Besides this, you must also add nodev to prevent those kinds of
> > > circumventions
> > >
> > > Paul
> >
> > correct, it's atually like this
> > /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr)
> > /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr)
>
> I cannot have any kind of a intrepreted language supported in those
> environments..
> or a simple perl/php/lisp "data" file can circunvent those attacks!

When I get you right, you mean the P in Lamp makes these limitations 
(ro, noexec, nodev, chroot ...) nonsense.
Ok, what makes you think so?
How do you do it (get a shell, root access, hijack the box ...)?
What's a better approach to prevent it?

Joe

-- 
gentoo-security@g.o mailing list


Replies:
Re: mount noexec and ro
-- ascii
References:
mount noexec and ro
-- Joe Knall
Re: mount noexec and ro
-- Joe Knall
Re: mount noexec and ro
-- Miguel Sousa Filipe
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: mount noexec and ro
Next by thread:
Re: mount noexec and ro
Previous by date:
Re: mount noexec and ro
Next by date:
Re: mount noexec and ro


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.