Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 7 Sep 2011 13:39:33 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: /tmp fs type

On Wed, Sep 07, 2011 at 13:15 +0400, Vasiliy Kulikov wrote:
> While we have an option to setup /tmp as tmpfs, we probably should
> support bind mounts for /tmp (and /home?) to deny creating links to sxid
> binaries:

Well, not only sxid binaries.  sxid binaries linking is a dangerous
attack vector, but it's not the only one.

If we care about sxid binaries, we can create bind mounts for
/{usr/,}{s,}bin/ as user writable directories may contain /var/tmp/,
probably something in /var/spool/.

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ