Author: Hilko Bengen Date: To: exim-dev Subject: Re: [exim-dev] External barriers to privilege escalation
* W B Hacker:
> - ALL? Per OpenBSD practice, the production FreeBSD boxen now mount /var, and
> /<the mailstore> as noexec, nosuid.
> I'd call that one an 'ALL' until someone points out what it harms, and WHY that
> critter is allowed to <whatever>...
On a Linux (Debian) box
# mount --bind /var/spool/exim4 /var/spool/exim4
# mount -oremount,noexec,nosuid /var/spool/exim4
should make at least the mail store unusable for dropping executables.
Of course, this doesn't help against executing dropped shell scripts and
calling ld.so directly where that is possible.
This message was posted to the following mailing lists: