Gentoo Archives: gentoo-security

From: Joe Knall <joe.knall@×××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] mount noexec and ro
Date: Sat, 04 Nov 2006 16:34:43
In Reply to: Re: [gentoo-security] mount noexec and ro by Paul de Vrieze
On Sat, 2006-11-04 16:00 Paul de Vrieze wrote:
> On Saturday 04 November 2006 12:11, Joe Knall wrote: > > can/does mounting a partition with noexec, ro etc. provide > > additional security or are those limitations easy to circumvent? > > > > Example: webserver running chrooted > > all libs and executables (apache, lib, usr ...) on read only > > mounted partition /srv/www, data dirs (logs, htdocs ...) on > > partition /srv/www/data mounted with noexec (but rw of course), no > > cgi needed. > > Server is started with "chroot /srv/www /apache/bin/httpd -k > > start". > > Besides this, you must also add nodev to prevent those kinds of > circumventions > > Paul
correct, it's atually like this /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr) /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr) but I need a /dev, currently data/dev with null and urandom there, writeable and not nodev (could as well be a separate partition). Do you think this turns all the rest in vain? Joe -- gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] mount noexec and ro Paul de Vrieze <pauldv@g.o>
Re: [gentoo-security] mount noexec and ro Miguel Sousa Filipe <miguel.filipe@×××××.com>