Re: apt-get and mounting /tmp with noexec option

To: debian-isp@lists.debian.org
Subject: Re: apt-get and mounting /tmp with noexec option
From: froh@fsb.gotdns.org (Frode Haugsgjerd)
Date: Sun, 18 Jan 2004 16:00:44 +0100
Message-id: <[🔎] 20040118150044.GB2711@fsb.gotdns.org>
In-reply-to: <[🔎] 20040118040607.GA18101@ooder.ertius.org>
References: <[🔎] 6.0.0.22.0.20040113191407.029ef6a0@wheresmymailserver.com> <[🔎] 20040118040607.GA18101@ooder.ertius.org>

On Sun, Jan 18, 2004 at 03:06:07PM +1100, Rob Weir wrote:
-snip-
> noexec /tmp is NOT supported under Debian.  Also, are you aware that it
> provides very little protection?  Try an experiment:
> 
> $ cp /bin/ls /tmp
> $ /tmp/ls
> [permission denied]
> $ /lib/ld-linux.so.2 /tmp/ls
> [directory listing]

It does provide some protection against automated attacs, the last apache
worm was stopped by this trick.

Now what about moving all suid binarys to a dedicated partition, and
mounting everything else with nosuid?

I understand that for those that admin hundreds of servers, such
customizations cause problems. But security is getting more important
every day.

--
Frode Haugsgjerd
Norway

Reply to:

References:
- apt-get and mounting /tmp with noexec option
  - From: Arnoud Warmerdam <debian-isp@warpnet.nl>
- Re: apt-get and mounting /tmp with noexec option
  - From: Rob Weir <rweir@ertius.org>

Prev by Date: Re: Tracing silent crashes
Next by Date: Re: SSH Privat key and login as root without a passwort
Previous by thread: Re: apt-get and mounting /tmp with noexec option
Next by thread: Re: apt-get and mounting /tmp with noexec option
Index(es):
- Date
- Thread