Re: apt-get and mounting /tmp with noexec option
On Sun, Jan 18, 2004 at 03:06:07PM +1100, Rob Weir wrote:
-snip-
> noexec /tmp is NOT supported under Debian. Also, are you aware that it
> provides very little protection? Try an experiment:
>
> $ cp /bin/ls /tmp
> $ /tmp/ls
> [permission denied]
> $ /lib/ld-linux.so.2 /tmp/ls
> [directory listing]
It does provide some protection against automated attacs, the last apache
worm was stopped by this trick.
Now what about moving all suid binarys to a dedicated partition, and
mounting everything else with nosuid?
I understand that for those that admin hundreds of servers, such
customizations cause problems. But security is getting more important
every day.
--
Frode Haugsgjerd
Norway
Reply to: