Re: [exim-dev] External barriers to privilege escalation

Top Page

Reply to this message
Author: Hilko Bengen
To: exim-dev
Subject: Re: [exim-dev] External barriers to privilege escalation
* W B Hacker:

> - ALL? Per OpenBSD practice, the production FreeBSD boxen now mount /var, and
> /<the mailstore> as noexec, nosuid.
> I'd call that one an 'ALL' until someone points out what it harms, and WHY that
> critter is allowed to <whatever>...

On a Linux (Debian) box

# mount --bind /var/spool/exim4 /var/spool/exim4
# mount -oremount,noexec,nosuid /var/spool/exim4

should make at least the mail store unusable for dropping executables.
Of course, this doesn't help against executing dropped shell scripts and
calling directly where that is possible.