Re: Hd meglio come
On Wed, Aug 08, 2001 at 03:01:16PM +0200, dariondol wrote:
> On Wed, Aug 08, 2001 at 02:37:13PM +0200, Fulvio wrote:
> > Il doc l'ho trovato nel sito red hat però penso che si possa
> > generalizzare per queste cose, cmq chiedo scusa se ho postato
> > delle info sbagliate :-))
esiste anche, piu` specificamente
http://secinf.net/info/unix/debian/Securing-Debian-HOWTO.html
> diciamo che per un sistema multiuso il fatto di fare partizioni diverse
> puo' servire (per esempio) a far si che la directory home (dove di
> solito ci sono appunto le home degli utenti) possa essere settata per
> non fare eseguire binari in quella partizione .. quindi e' una "mano"
> per la sicurezza ... cosi' potrebbe essere anche detto della partizione
> /tmp.
3.3 Mounting partitions the right way
When mounting an ext2 partition you have several additional options
you apply to the mount call or the /etc/fstab. For instance, this my
fstab entry for the /tmp partition:
/dev/hda7 /tmp ext2 defaults,nosuid,noexec,nodev 0 2
You see the difference in the options sections. The option nosuid
ignores the setuid and setgid bits completely, while noexec forbids
execution of any program on that mount point and nodev, which ignores
devices. This sounds great, but it
* only applies to ext2 filesystems only
* can be circumvented easily
The noexec option prevents binaries from being executed directly, but
is easily circumvented:
alex@joker:/tmp# mount | grep tmp
/dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev)
alex@joker:/tmp# ./date
bash: ./date: Permission denied
alex@joker:/tmp# /lib/ld-linux.so.2 ./date
Sun Dec 3 17:49:23 CET 2000
However, many script kiddies have exploits which try to create and
execute files in /tmp. If they do not have a clue, they will fall into
this pit. In other words, if the user does not have a clue, he will
not fall into the pit of executing a trojaned binary /tmp, when he
incidentally adds /tmp into his PATH.
Reply to: