Re: Re[2]: phpBB vulnerability exploited

To: Marek Podmaka <marki@onee.sk>
Cc: debian-isp@lists.debian.org
Subject: Re: Re[2]: phpBB vulnerability exploited
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Mon, 13 Dec 2004 08:08:06 -0200
Message-id: <[🔎] 20041213100806.GB14905@khazad-dum.debian.net>
In-reply-to: <[🔎] 687300935.20041213093100@onee.sk>
References: <[🔎] 362368499.20041212234642@onee.sk> <[🔎] 200412122217.20006.fraser@georgetown.wehave.net> <[🔎] 687300935.20041213093100@onee.sk>

On Mon, 13 Dec 2004, Marek Podmaka wrote:
>   Yes, I have been doing the same with /tmp, but some debian packages
>   won't install on noexec /tmp. But there are other directorieso n my
>   system which are world writable - for example /var/tmp and
>   /var/lock.

If you can make /tmp noexec, you can also make /var/tmp and /var/lock
noexec.

File wishlist bugs against packages that run stuff in /tmp, request that the
maintainer not close it but rather mark it "wontfix" if he doesn't want to
fix the bug (so that we can find which packages do not support noexec /tmp).
Use a consistent subject for this (e.g.:  <foo>: does not suport noexec
/tmp)

>   Can entire /var be mounted noexec?

No. It will break all chroots, and also dpkg.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

References:
- phpBB vulnerability exploited
  - From: Marek Podmaka <marki@onee.sk>
- Re: phpBB vulnerability exploited
  - From: Fraser Campbell <fraser@georgetown.wehave.net>
- Re[2]: phpBB vulnerability exploited
  - From: Marek Podmaka <marki@onee.sk>

Prev by Date: Re[2]: phpBB vulnerability exploited
Next by Date: postgrey 1.17rc2 Debian packages
Previous by thread: Re[2]: phpBB vulnerability exploited
Next by thread: Re: phpBB vulnerability exploited
Index(es):
- Date
- Thread