1 |
Am 24.04.2013 18:12, schrieb Tanstaafl: |
2 |
> On 2013-04-24 11:31 AM, Florian Philipp <lists@×××××××××××.net> wrote: |
3 |
>> Am 24.04.2013 17:12, schrieb Tanstaafl: |
4 |
>>> Ok, but - does it make sense to add the noexec option to /var/tmp? Is it |
5 |
>>> possible that there are other apps that need exec capability in there? |
6 |
> |
7 |
>> It makes sense. Any world-writable directory should be noexec to make |
8 |
>> script injection harder. Other directories, too, like /var/www (if you |
9 |
>> can, i.e. no cgi). I cannot tell you if any application might need it. |
10 |
>> Try it. It is easy enough to revert, maybe even with a `mount -o |
11 |
>> remount`, I'm not sure. |
12 |
>> |
13 |
>> Also, look at |
14 |
>> http://serverfault.com/questions/72356/how-useful-is-mounting-tmp-noexec |
15 |
> |
16 |
> Hmmm, this only talks about /tmp... I'm talking about /var/tmp... |
17 |
> |
18 |
> So, I guess you're right, I'll just need to try it and see... |
19 |
> |
20 |
|
21 |
Just stumbled across this: |
22 |
http://blog.siphos.be/2013/04/securely-handling-libffi/ |
23 |
|
24 |
Might be relevant, might be not. |
25 |
|
26 |
Regards, |
27 |
Florian Philipp |