Autor: Hilko Bengen Datum: To: exim-dev Betreff: Re: [exim-dev] External barriers to privilege escalation
* W B Hacker:
> - ALL? Per OpenBSD practice, the production FreeBSD boxen now mount /var, and
> /<the mailstore> as noexec, nosuid.
>
> I'd call that one an 'ALL' until someone points out what it harms, and WHY that
> critter is allowed to <whatever>...
On a Linux (Debian) box
# mount --bind /var/spool/exim4 /var/spool/exim4
# mount -oremount,noexec,nosuid /var/spool/exim4
should make at least the mail store unusable for dropping executables.
Of course, this doesn't help against executing dropped shell scripts and
calling ld.so directly where that is possible.