Robert Locke wrote:
On Wed, 2005-07-13 at 14:16 -0500, Mike McCarty wrote:
Paul Howarth wrote:
<snip>
My point was that there's no way of knowing what undiscovered
vulnerabilities there are on your system, so having multiple layers of
defences such as firewalls, mounting /var and /tmp partitions with
noexec, selinux etc. all help to mitigate the risk.
Ah, an aswer. I'm perhaps vulnerable to something being put into
/var or /tmp (/tmp world writable) and then being executed from there.
Now that's useful information. So, I possibly should remove '..x..x..x' from
/tmp? That's an idea. BTW, on my system, /tmp is not a separate volume.
Whoa, Mike. Do not change the permissions on /tmp as you seem to be
implying. Lots o' things will break if you change /tmp from it's normal
1777 permissions (drwxrwxrwt). Remember that "x" on a directory has
nothing to do with executing something really but rather is allowing
someone to "cd" into that directory....
I had forgotten that.
What the earlier suggestion was getting at for you was to modify the
"mount options" for your separate /tmp filesystem (presuming you have a
separate filesystem for /tmp). You would edit /etc/fstab and find the
line relating to /tmp and change the fourth column to include "noexec"
and/or perhaps "nosuid". Of course, some applications may presume an
ability to "exec" a file in /tmp and some applications may rely on that
file having the "SUID" bit set, so doing this could break something,
YMMV.....
Hmm. Sounds like a security violation to me. My machine is mine, not yours.
I don't intend to grant cycles/disc storage/anything to anyone but me,
and those
I allow to log in. That's one reason I don't permit cookies. I know that
one reason
not to allow cookies is to prohibit someone from collecting information
about
where I browse etc. Well, that bothers me, but isn't the main reason I
prohibit
cookies. You don't allow me to store files on your machine do you? You paid
for your disc, and you intend to use it. You don't intend for me to use
it. I
have the same feelings. I don't grant anyone privilege of storing
anything on
discs I paid for. End of discusion. Anyone wants to store cookies on my
machine,
ok, you give me 100MB of exclusive use space on your hard disc, I'll let
you
store one cookie. Deal?
I feel even more strongly about CPU time, partly because programs often
have defects and running them may have unintended consequences. Even
if the java is not intended to be malicious, that doesn't make my files come
back.
The goal in "hardening" a Linux box is always to try to figure out the
different ways that someone may try to inject code to execute on your
machine to grant them a) access, b) privilege, c) your data, or d) your
cycles..... Best bet for you is probably to do some google'ing or pick
up an O'Reilly book or two on Security to assess some of the more common
exploitable areas. Look for topics on "hardening Linux". That will
keep you busy for quite some time.... :-)
Ok, I'll look for some NutShell stuff.
Good luck,
--Rob
Thanks.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
