Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: ascii <ascii@...>
Subject: Re: mount noexec and ro
Date: Sat, 09 Dec 2006 05:21:56 +0100
Joe Knall wrote:
> When I get you right, you mean the P in Lamp makes these limitations 
> (ro, noexec, nodev, chroot ...) nonsense.

only the noexec is defeated from scripts, ro nodev chrooting are
obviously safe from this

..but..

noexec on linux is futile since you could use /lib/ld-linux.so to exec
bins on a noexec mount point

if you make ld-linux.so -x then you have to rebuild all binaries
statically linked : )

..so..

it's better to get some acl/rbac system like grsec+pax and (rsbac or
selinux) to get sure things happens right

yes, it could be some time expensive to write/adapt the rules to your
current system but it worth the effort

regards,
Francesco 'ascii' Ongaro
http://www.ush.it/
-- 
gentoo-security@g.o mailing list


References:
mount noexec and ro
-- Joe Knall
Re: mount noexec and ro
-- Joe Knall
Re: mount noexec and ro
-- Miguel Sousa Filipe
Re: mount noexec and ro
-- Joe Knall
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: mount noexec and ro
Next by thread:
Introduction
Previous by date:
Re: mount noexec and ro
Next by date:
freeradius eap tls issue


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.