[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt-get and mounting /tmp with noexec option

On Sun, Jan 18, 2004 at 03:06:07PM +1100, Rob Weir wrote:
> noexec /tmp is NOT supported under Debian.  Also, are you aware that it
> provides very little protection?  Try an experiment:
> $ cp /bin/ls /tmp
> $ /tmp/ls
> [permission denied]
> $ /lib/ld-linux.so.2 /tmp/ls
> [directory listing]

It does provide some protection against automated attacs, the last apache
worm was stopped by this trick.

Now what about moving all suid binarys to a dedicated partition, and
mounting everything else with nosuid?

I understand that for those that admin hundreds of servers, such
customizations cause problems. But security is getting more important
every day.

Frode Haugsgjerd

Reply to: