on Mon, Nov 27, 2000 at 11:51:10AM -0800, Joey Hess (joeyh@debian.org) wrote: > kmself@ix.netcom.com wrote: > > Damn, you're good: > > > > $ mount | grep '/var ' > > /dev/sdb6 on /var type ext2 (rw,noexec,nosuid,nodev) > > > > ...I figured it was a security bonus -- no executables in variable > > content filesystems. I'll have to rethink that one, clearly. > > I would feel bad and offer to change debconf, but I suspect you will see > similar problems when installing any package with a perinst script, or > probably any other maintainer script for that matter. I suspect this isn't something Debian can fix and make go away. Following discussion here a few weeks ago, I tweaked several of my partition mount options, specifically disallowing suid, dev, and exec privileges on a number of partitions. I suspect 'noexec' is going to be a bit problematic in a number of places. I've since changed /var to allow 'exec' privileges. # <fs> <mountpt> <type> <options> <dump> <pass> /dev/hda3 / ext2 defaults,errors=remount-ro 0 1 /dev/sdb5 /tmp ext2 defaults,nosuid,noexec,nodev 0 2 /dev/sdb6 /var ext2 defaults,nosuid,nodev 0 2 /dev/hda5 /var/spool/news ext2 defaults,nosuid,noexec,nodev 0 2 /dev/sda5 /usr ext2 defaults,ro,nodev 0 2 /dev/sdb7 /usr/local ext2 defaults,ro,nosuid,nodev 0 2 /dev/sda7 /home ext2 defaults,nosuid,nodev 0 2 /dev/hdc /mnt/cdrom iso9660 noauto,user,ro,nodev,nosuid 2 2 /dev/fd0 /mnt/floppy auto noauto,gid=disk,umask=007,rw,user 2 2 Note that 'user' implies noexec, nosuid, and nodev. Thoughts, anyone? -- Karsten M. Self <kmself@ix.netcom.com> http://www.netcom.com/~kmself Evangelist, Zelerate, Inc. http://www.zelerate.org What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org
Attachment:
pgpKFIAh5Yt2N.pgp
Description: PGP signature