Gentoo Archives: gentoo-security

From: Paul de Vrieze <pauldv@g.o>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] mount noexec and ro
Date: Sat, 04 Nov 2006 15:07:34
In Reply to: [gentoo-security] mount noexec and ro by Joe Knall
On Saturday 04 November 2006 12:11, Joe Knall wrote:
> Hello, > > can/does mounting a partition with noexec, ro etc. provide additional > security or are those limitations easy to circumvent? > > Example: webserver running chrooted > all libs and executables (apache, lib, usr ...) on read only mounted > partition /srv/www, data dirs (logs, htdocs ...) on > partition /srv/www/data mounted with noexec (but rw of course), no cgi > needed. > Server is started with "chroot /srv/www /apache/bin/httpd -k start". > > Any cognition? Is this useful, nice, nonsense? > Keeping the chroot updated and so on is not my concern here.
Besides this, you must also add nodev to prevent those kinds of circumventions Paul -- Paul de Vrieze Gentoo Developer Mail: pauldv@g.o Homepage:


Subject Author
Re: [gentoo-security] mount noexec and ro Joe Knall <joe.knall@×××.net>