Re: [exim-dev] External barriers to privilege escalation

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Hilko Bengen
Datum:  
To: exim-dev
Betreff: Re: [exim-dev] External barriers to privilege escalation
* W B Hacker:

> - ALL? Per OpenBSD practice, the production FreeBSD boxen now mount /var, and
> /<the mailstore> as noexec, nosuid.
>
> I'd call that one an 'ALL' until someone points out what it harms, and WHY that
> critter is allowed to <whatever>...


On a Linux (Debian) box

# mount --bind /var/spool/exim4 /var/spool/exim4
# mount -oremount,noexec,nosuid /var/spool/exim4

should make at least the mail store unusable for dropping executables.
Of course, this doesn't help against executing dropped shell scripts and
calling ld.so directly where that is possible.

-Hilko