-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 24 May 2006 01:38:05 +0930 Tim <ignored_mailbox@xxxxxxxxxxxx> wrote: > On Tue, 2006-05-23 at 13:11 +0100, Paul Howarth wrote: > > If you have /tmp on a separate partition, I'd seriously consider > > mounting it noexec,nodev. If it's not a separate partition, I'd > > seriously consider making one for it on an Internet-exposed web > > server. > > Same goes for /var. > > I haven't struck any problems with doing that to /tmp/, but if you have > a chrooted BIND and a nodev mounted /var/ you strike problems with it > not being able to use its chrooted /dev/random, at least. And a noexec > mounted /var/ requires you to have your webserver cgi-bin programs > stored in another location (e.g. /srv/www/cgi-bin/). Not sure how > that'd impinge on PHP, etc. > > I can't think of any other gotchas to prepare for at the moment. > I have the cgi-bin disabled in apache. I do not use it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEczcWfw3TK8jhZrsRAl21AKDYJdZ2dqM5sLdZser77z1DV3YkJgCcDDMr XlIKmyzpEWQy5oaFF+vj24c= =zUiC -----END PGP SIGNATURE-----
