Gentoo Archives: gentoo-dev

From: Daniel Drake <dsd@g.o>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] Making procfs mount as nosuid,noexec by default
Date: Sat, 15 Jul 2006 16:44:40
Message-Id: 44B91B98.2050803@gentoo.org
1 Hi,
2
3 The local root exploit-of-the-week would have been unable to run if our
4 users systems had /proc mounted with nosuid and/or noexec
5
6 It would be worthwhile considering making this a default. What are
7 people's thoughts?
8
9 Additional testing of this change would be appreciated (just ensure that
10 nothing breaks). To do it as a one off:
11
12 # mount -o remount,nosuid,noexec /proc
13
14 To make it more permanent, /etc/fstab has:
15
16 proc /proc proc defaults 0 0
17
18 Change to:
19
20 proc /proc proc nosuid,noexec 0 0
21
22
23 Thanks,
24 Daniel
25 --
26 gentoo-dev@g.o mailing list

Replies