On Wed, 2006-05-24 at 01:38 +0930, Tim wrote: > On Tue, 2006-05-23 at 13:11 +0100, Paul Howarth wrote: > > If you have /tmp on a separate partition, I'd seriously consider > > mounting it noexec,nodev. If it's not a separate partition, I'd > > seriously consider making one for it on an Internet-exposed web > > server. > > Same goes for /var. > > I haven't struck any problems with doing that to /tmp/, but if you have > a chrooted BIND and a nodev mounted /var/ you strike problems with it > not being able to use its chrooted /dev/random, at least. True. Noexec is probably more important to have though. > And a noexec > mounted /var/ requires you to have your webserver cgi-bin programs > stored in another location (e.g. /srv/www/cgi-bin/). Not sure how > that'd impinge on PHP, etc. PHP apps should be installable into /usr/share really, but don't usually need exec permission and so shouldn't be affected by noexec. CGIs need to go elsewhere as you say though. > I can't think of any other gotchas to prepare for at the moment. There were some apps (logrotate springs to mind) that used to run temporary scripts in /tmp during FC3 time but these seem to be fixed now. My own server's been running OK like this for a long time. Paul.
