On Thu, 2005-03-03 at 12:26 +0000, Paul Howarth wrote: > Thomas Zehetbauer wrote: > > On Thu, 2005-03-03 at 08:18 +0000, Paul Howarth wrote: > > > >>You don't say which distribution this web server was running, but I > >>suspect that if your Apache had been running under SELinux then the > >>attacker would not have been able to run any scripts from /tmp > >>or /var/tmp. So, when you rebuild the server, it would be well worth > >>considering using SELinux. > > > > > > You don't need SELinux for this, you could always mount /tmp with noexec > > flag. > > And /var too, provided they're separate partitions. Another good reason > not to install into just one big / partition. > > Paul. All good points, but most people on this list are likely scratching there heads wondering what you are talking about. I have not had a chance to read up on SELinux, but it is available to the average person on this list to enable and from what I have heard can provide an extra measure of security. If more secure mount options were configured at install some of these issues could be alleviated, but by default there are too few partitions created to make this possible. On a regular basis I deal with "Experts" who run servers with more holes than a spaghetti strainer. If SELinux can make it simple to assist in "hardening" a server, then it may be a better solution than adding a noexec flag to a partition that is not created by any default install options. Since most people install with only two or three partitions including the swap partition, they would have to reinstall to implement secure mount options.
