| 1 |
Am 24.04.2013 18:12, schrieb Tanstaafl: |
| 2 |
> On 2013-04-24 11:31 AM, Florian Philipp <lists@×××××××××××.net> wrote: |
| 3 |
>> Am 24.04.2013 17:12, schrieb Tanstaafl: |
| 4 |
>>> Ok, but - does it make sense to add the noexec option to /var/tmp? Is it |
| 5 |
>>> possible that there are other apps that need exec capability in there? |
| 6 |
> |
| 7 |
>> It makes sense. Any world-writable directory should be noexec to make |
| 8 |
>> script injection harder. Other directories, too, like /var/www (if you |
| 9 |
>> can, i.e. no cgi). I cannot tell you if any application might need it. |
| 10 |
>> Try it. It is easy enough to revert, maybe even with a `mount -o |
| 11 |
>> remount`, I'm not sure. |
| 12 |
>> |
| 13 |
>> Also, look at |
| 14 |
>> http://serverfault.com/questions/72356/how-useful-is-mounting-tmp-noexec |
| 15 |
> |
| 16 |
> Hmmm, this only talks about /tmp... I'm talking about /var/tmp... |
| 17 |
> |
| 18 |
> So, I guess you're right, I'll just need to try it and see... |
| 19 |
> |
| 20 |
|
| 21 |
Just stumbled across this: |
| 22 |
http://blog.siphos.be/2013/04/securely-handling-libffi/ |
| 23 |
|
| 24 |
Might be relevant, might be not. |
| 25 |
|
| 26 |
Regards, |
| 27 |
Florian Philipp |
Archives