On Friday 16 January 2009, Mike Dornberger <Mike.Dornberger@gmx.de> wrote about 'Re: basically security of linux': >Hi, > >just an addition: Often I've seen /home as a separate mount (mounted >nosuid,nodev,...) and /tmp as tmpfs, but then we have /var/tmp (which > can't be tmpfs, because it's purpose is to retain the files even across > reboots). > >I haven't tried it yet, but could a bind-mount be done (e. g. > /var/real-tmp -> /var/tmp) with additional options nosuid,nodev,... > (while /var or / is mounted suid,dev,...)? I don't think bind mounts can change the effective permissions. If I mount -o bind,nodev /dev /mnt, mount shows the "nodev" option, but /proc/mounts doesn't and devices like /mnt/null and /mnt/zero work as expected. That said, you probably count mkdir /home/var with the right permissions and then mount -o bind /home/var /var/tmp to get what you are after. In any case, dpkg installed suid binaries do get scrubbed after they aren't in use, so you only have to worry about suid binaries you've created yourself. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.