1 |
Daniel Drake wrote: |
2 |
> Hi, |
3 |
> |
4 |
> The local root exploit-of-the-week would have been unable to run if our |
5 |
> users systems had /proc mounted with nosuid and/or noexec |
6 |
> |
7 |
> It would be worthwhile considering making this a default. What are |
8 |
> people's thoughts? |
9 |
> |
10 |
> Additional testing of this change would be appreciated (just ensure that |
11 |
> nothing breaks). To do it as a one off: |
12 |
> |
13 |
> # mount -o remount,nosuid,noexec /proc |
14 |
> |
15 |
> To make it more permanent, /etc/fstab has: |
16 |
> |
17 |
> proc /proc proc defaults 0 0 |
18 |
> |
19 |
> Change to: |
20 |
> |
21 |
> proc /proc proc nosuid,noexec 0 0 |
22 |
> |
23 |
> |
24 |
> Thanks, |
25 |
> Daniel |
26 |
|
27 |
Daniel, |
28 |
|
29 |
Turns out that yesterday after we talked about this. I've been running |
30 |
one of my boxes like that for ages. So far so good. |
31 |
|
32 |
-- |
33 |
Doug Goldstein <cardoe@g.o> |
34 |
http://dev.gentoo.org/~cardoe/ |