On Thu, 2006-12-07 18:44 Miguel Sousa Filipe wrote: > Hi, > > On 11/4/06, Joe Knall <[EMAIL PROTECTED]> wrote: > > On Sat, 2006-11-04 16:00 Paul de Vrieze wrote: > > > On Saturday 04 November 2006 12:11, Joe Knall wrote: > > > > can/does mounting a partition with noexec, ro etc. provide > > > > additional security or are those limitations easy to > > > > circumvent? > > > > > > > > Example: webserver running chrooted > > > > all libs and executables (apache, lib, usr ...) on read only > > > > mounted partition /srv/www, data dirs (logs, htdocs ...) on > > > > partition /srv/www/data mounted with noexec (but rw of course), > > > > no cgi needed. > > > > Server is started with "chroot /srv/www /apache/bin/httpd -k > > > > start". > > > > > > Besides this, you must also add nodev to prevent those kinds of > > > circumventions > > > > > > Paul > > > > correct, it's atually like this > > /srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr) > > /srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr) > > I cannot have any kind of a intrepreted language supported in those > environments.. > or a simple perl/php/lisp "data" file can circunvent those attacks!
When I get you right, you mean the P in Lamp makes these limitations (ro, noexec, nodev, chroot ...) nonsense. Ok, what makes you think so? How do you do it (get a shell, root access, hijack the box ...)? What's a better approach to prevent it? Joe -- gentoo-security@gentoo.org mailing list
