trying out older (read-only, noexec, mount) security methods
Tim
ignored_mailbox at yahoo.com.au
Fri Nov 11 01:13:03 UTC 2005
Tim:
>> Are there any known, current, problems with mounting certain things as
>> read-only or noexec to minimise harm? Such as making /tmp and /home
>> noexec? Or /usr read-only? Or any other suggestions?
James Wilkinson:
> I've got /tmp mounted nodev,noexec (and should probably mount /var the
> same way).
Well, I've found my first problem: Mounting /var with "noexec" means
that CGI scripts won't run for the web server. Took me a few minutes of
headscratching to realise what had gone wrong, as is the way when the
problem happens some time after a change. I've temporarily removed
"noexec" while I consider if I should move the /var/www/cgi-bin/
directory out of /var.
> A read-only /usr sounds like more trouble than it's worth: it *will*
> break yum updates. So you'll have to regularly remount it read-write
> (while the system's on-line) to update the machine.
Yes, that had been on my mind. I don't know if anything else writes to
it. If the updates were less frequent I might be more inclined to try
making it read-only. Of course, I could automate things by using a
script to remount it as writable, run YUM, then remount as read-only.
Then, I'd only have one thing to do.
Naturally, I realise that the moment I've got FC4 running pat, it'll be
outdated and I'll have to start over again with FC5.
--
Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.
More information about the fedora-list
mailing list