On Tue, 2006-05-23 at 13:11 +0100, Paul Howarth wrote: > If you have /tmp on a separate partition, I'd seriously consider > mounting it noexec,nodev. If it's not a separate partition, I'd > seriously consider making one for it on an Internet-exposed web > server. > Same goes for /var. I haven't struck any problems with doing that to /tmp/, but if you have a chrooted BIND and a nodev mounted /var/ you strike problems with it not being able to use its chrooted /dev/random, at least. And a noexec mounted /var/ requires you to have your webserver cgi-bin programs stored in another location (e.g. /srv/www/cgi-bin/). Not sure how that'd impinge on PHP, etc. I can't think of any other gotchas to prepare for at the moment. -- (Currently running FC4, occasionally trying FC5.) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
