Gentoo Archives: gentoo-security

From: ascii <ascii@××××××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] mount noexec and ro
Date: Sat, 09 Dec 2006 03:27:07
In Reply to: Re: [gentoo-security] mount noexec and ro by Joe Knall
Joe Knall wrote:
> When I get you right, you mean the P in Lamp makes these limitations > (ro, noexec, nodev, chroot ...) nonsense.
only the noexec is defeated from scripts, ro nodev chrooting are obviously safe from this ..but.. noexec on linux is futile since you could use /lib/ to exec bins on a noexec mount point if you make -x then you have to rebuild all binaries statically linked : ) it's better to get some acl/rbac system like grsec+pax and (rsbac or selinux) to get sure things happens right yes, it could be some time expensive to write/adapt the rules to your current system but it worth the effort regards, Francesco 'ascii' Ongaro -- gentoo-security@g.o mailing list