1 |
the problem is they both have valid points. in this,as in nearly all aspects of unix administration, there is not a single right answer. |
2 |
|
3 |
-----Original Message----- |
4 |
From: "Patrick Börjesson"<psycho@××××××××.cx> |
5 |
Sent: 2/17/06 4:15:08 PM |
6 |
To: "gentoo-user@l.g.o"<gentoo-user@l.g.o> |
7 |
Subject: Re: [gentoo-user] How many GB for / partition? |
8 |
|
9 |
First, I can't really understand why either one of you two won't fully |
10 |
explain your reasonings when going against the other. It helps noone. |
11 |
|
12 |
On 2006-02-17 19:04, Hemmann, Volker Armin uttered these thoughts: |
13 |
> On Friday 17 February 2006 07:33, Alexander Skwar wrote: |
14 |
> > Hemmann, Volker Armin wrote: |
15 |
> > > On Thursday 16 February 2006 20:40, Alexander Skwar wrote: |
16 |
> > >> Hemmann, Volker Armin wrote: |
17 |
> > >> > On Thursday 16 February 2006 17:18, Alexander Skwar wrote: |
18 |
> > >> >> Hemmann, Volker Armin wrote: |
19 |
> > >> >> > |
20 |
> > >> >> > Why should he make /tmp noexec, |
21 |
> > >> >> |
22 |
> > >> >> Security precaution. |
23 |
> > >> > |
24 |
> > >> > if you have 10+ users with access to the box. But a workstation, |
25 |
> > >> > without even sshd running, it is not needed. |
26 |
|
27 |
Of course, if you have a system with _no_ services running (including |
28 |
apache, sshd and so on), or a firewall that blocks every and all |
29 |
incoming connection attempt, then for someone to access /tmp without |
30 |
having physical access to the system (in which case you're pretty much |
31 |
screwed anyhow) is, as far as I know, impossible.=20 |
32 |
|
33 |
This doesn't take into account client-side exploits; because with these |
34 |
the exploiting code has access to whatever resources the user running |
35 |
the client has, including writing to whatever areas that the user has.=20 |
36 |
|
37 |
> > >> "needed" - What's "needed", anyway? |
38 |
> > >> |
39 |
> > >> > And hey, why should /tmp noexec save you from anything? |
40 |
> > >> |
41 |
> > >> Because it does. |
42 |
> > > |
43 |
> > > so? how? |
44 |
> > |
45 |
> > Think, you might find out. What does noexec do, hm? |
46 |
> > |
47 |
> > Even *you* might find out... |
48 |
> > |
49 |
> > Well... If I think about it... No, you're too clueless |
50 |
> > to find out. |
51 |
> > |
52 |
> > Hint 1: "noexec" nowadays makes it impossible to execute |
53 |
> > programs stored on that filesystem. |
54 |
>=20 |
55 |
> I know, but it won't save you from anything. |
56 |
> After a user got in, he is a user. And every user has a place with write= |
57 |
=20 |
58 |
> permission (if he is user apache/httpd he has lots of places, where he ca= |
59 |
n=20 |
60 |
> store code). Outside of /tmp. |
61 |
|
62 |
Where? |
63 |
|
64 |
[Message truncated. Tap Edit->Mark for Download to get remaining portion.] |
65 |
|
66 |
-- |
67 |
gentoo-user@g.o mailing list |