Date: Wed, 7 Sep 2011 13:49:45 +0400 From: Vasiliy Kulikov <segoon@...nwall.com> To: owl-dev@...ts.openwall.com Subject: Re: /tmp fs type Solar, On Wed, Sep 07, 2011 at 13:36 +0400, Solar Designer wrote: > On Wed, Sep 07, 2011 at 01:15:56PM +0400, Vasiliy Kulikov wrote: > > While we have an option to setup /tmp as tmpfs, > > This is more than just an option - this is the current default. And if > an admin overrides this default, then presumably they know what they're > doing. Maybe, but often fs type for /tmp is chosen not from security considerations, but performance or robustness. > > we probably should > > support bind mounts for /tmp (and /home?) to deny creating links to sxid > > binaries: > > /tmp is already a separate filesystem. As to /home, maybe. But we're > planning to (re-)harden the kernel anyway, so why bother with partial > workarounds in userspace? Just in case someone runs Owl userland with a > non-Owl kernel? How does the hardlink hardening protect against hardlinking into /home? > And what do you mean by "supporting" bind mounts? Aren't they already > supported (with a trivial edit to fstab)? Do you mean an installer > feature? If so, I see no reason to provide it if it's just for those > who would use a non-Owl kernel - that is, people who are willing to > customize the system on their own. I mean Owl 3.0 system installer with the default kernel. We don't plan to backport kernel hardening stuff to 3.0, do we? As to /home, Owl 4.0 would benefit too. Thanks, -- Vasiliy
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.