On Tue, May 14, 2002 at 09:40:41AM +0100, Roger Leigh wrote:
> > > Indeed, the one pro of having libexec that no one seems to
> > > have mentioned is mount options: if /etc/libexec is a separate file
> > > system, I can mount /lib with noexec, and only have the exec mount
> > > flag for libexec, and it adds a little more hassles to a croacker who
> > > has broken in. I am not sure whether this is enough to succefully
> > > advocate for the inclusion of libexec.
> >
> > The problem with this benefit is the small number of people who would
> > directly benefit from it - how many people do you know with seperate
> > partitions for /usr/lib? I don't know many. Although, from a purely
> > paranoia standard, I can envision creating one for this very purpose and
> > think it is worth considering for that purpose. Having sheer paranoia
> > levels of security being available to those who would use them is a goal I
> > think we can all agree is not a bad thing.
>
> With a 2.4 kernel, you shouldn't need a separate partition:
>
> # mount --bind -o ro,noexec /lib /lib
> # mount --bind -o ro,noexec /usr/lib /usr/lib
*drool* I'd totally forgotten that you could do that.
Count me officially IN SUPPORT of cleaning executables out of /var, /lib,
and /usr/lib for sarge. I don't give a rip where they go, but I want them
out of those directories because _I_ want to do this now. ;)
> Bind mounting /usr/lib directly on top of itself with different mount
> options, you can achieve the same effect (I previously used it to set
> default filesystem umasks within certain directories). Hmm, after
> trying this out, it doesn't seem to work like it does for umasks (I
> can still run /lib/ld-linux.so.2), possibly a mount bug?
This is incredibly cool and I had not realized nor considered that --bind
could be used in this way. Thank you for the great suggestion, this will
let me basically do things like make certain directories read-only when I
am not explicitly upgrading packages. Not all of /usr, necessarily, but
certainly /usr/bin, /usr/lib, and /usr/local/{lib,bin} as well.. I can
then just change it for upgrades and put the safety measure back in place
when I'm done upgrading things. Thanks. =D
--
Joseph Carter <knghtbrd@bluecherry.net> Available in cherry and grape
<Culus> there is 150 meg in the /tmp dir! DEAR LORD
Attachment:
pgpqqoYUCni4J.pgp
Description: PGP signature