Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
Joe Knall wrote:
> When I get you right, you mean the P in Lamp makes these limitations
> (ro, noexec, nodev, chroot ...) nonsense.
only the noexec is defeated from scripts, ro nodev chrooting are
obviously safe from this
..but..
noexec on linux is futile since you could use /lib/ld-linux.so to exec
bins on a noexec mount point
if you make ld-linux.so -x then you have to rebuild all binaries
statically linked : )
..so..
it's better to get some acl/rbac system like grsec+pax and (rsbac or
selinux) to get sure things happens right
yes, it could be some time expensive to write/adapt the rules to your
current system but it worth the effort
regards,
Francesco 'ascii' Ongaro
http://www.ush.it/
--
gentoo-security@g.o mailing list
|
|
