[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: possible mass-filing of bugs: many shared library packages contain binaries in usr/bin



On Tue, May 14, 2002 at 09:40:41AM +0100, Roger Leigh wrote:
> > > 	Indeed, the one pro of having libexec that no one seems to
> > >  have mentioned is mount options: if /etc/libexec is a separate file
> > >  system, I can mount /lib with noexec, and only have the exec mount
> > >  flag for libexec, and it adds a little more hassles to a croacker who
> > >  has broken in. I am not sure whether this is enough to succefully
> > >  advocate for the inclusion of libexec.
> > 
> > The problem with this benefit is the small number of people who would
> > directly benefit from it - how many people do you know with seperate
> > partitions for /usr/lib?  I don't know many.  Although, from a purely
> > paranoia standard, I can envision creating one for this very purpose and
> > think it is worth considering for that purpose.  Having sheer paranoia
> > levels of security being available to those who would use them is a goal I
> > think we can all agree is not a bad thing.
> 
> With a 2.4 kernel, you shouldn't need a separate partition:
> 
> # mount --bind -o ro,noexec /lib /lib
> # mount --bind -o ro,noexec /usr/lib /usr/lib

*drool*  I'd totally forgotten that you could do that.

Count me officially IN SUPPORT of cleaning executables out of /var, /lib,
and /usr/lib for sarge.  I don't give a rip where they go, but I want them
out of those directories because _I_ want to do this now.  ;)


> Bind mounting /usr/lib directly on top of itself with different mount
> options, you can achieve the same effect (I previously used it to set
> default filesystem umasks within certain directories).  Hmm, after
> trying this out, it doesn't seem to work like it does for umasks (I
> can still run /lib/ld-linux.so.2), possibly a mount bug?

This is incredibly cool and I had not realized nor considered that --bind
could be used in this way.  Thank you for the great suggestion, this will
let me basically do things like make certain directories read-only when I
am not explicitly upgrading packages.  Not all of /usr, necessarily, but
certainly /usr/bin, /usr/lib, and /usr/local/{lib,bin} as well..  I can
then just change it for upgrades and put the safety measure back in place
when I'm done upgrading things.  Thanks.  =D

-- 
Joseph Carter <knghtbrd@bluecherry.net>      Available in cherry and grape
 
<Culus> there is 150 meg in the /tmp dir! DEAR LORD

Attachment: pgpCp3qBKkouI.pgp
Description: PGP signature


Reply to: