Paul Howarth wrote: >> > >My point was that there's no way of knowing what undiscovered >> > >vulnerabilities there are on your system, so having multiple layers of >> > >defences such as firewalls, mounting /var and /tmp partitions with >> > >noexec, selinux etc. all help to mitigate the risk. > The noexec option on /var and /tmp has caused me a few issues in the > past, and they can be quite hard to diagnose, as everything may appear > to be working normally most of the time. I can (sort of) see the argument for noexec on /var , but why on /tmp ? This seems to me a bit like locking the loo in case someone breaks into the house. Actually, that is something I have never really understood about selinux. It has always seemed to me that if someone broke into my system they could do so much damage anyway it is hardly worth while trying to minimise the damage. I'd feel I had to re-install the system anyway, as I could never be sure something evil had not been left behind. But that is probably just a reflection of my ignorance? -- Timothy Murphy e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland
