Re: [exim-dev] External barriers to privilege escalation

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MW B Hacker at <-
MW B Hacker at ->
Delete this message
Reply to this message
Author: Hilko Bengen
Date:  
To: exim-dev
Subject: Re: [exim-dev] External barriers to privilege escalation
* W B Hacker:

> - ALL? Per OpenBSD practice, the production FreeBSD boxen now mount /var, and
> /<the mailstore> as noexec, nosuid.
>
> I'd call that one an 'ALL' until someone points out what it harms, and WHY that
> critter is allowed to <whatever>...

On a Linux (Debian) box

# mount --bind /var/spool/exim4 /var/spool/exim4
# mount -oremount,noexec,nosuid /var/spool/exim4

should make at least the mail store unusable for dropping executables.
Of course, this doesn't help against executing dropped shell scripts and
calling ld.so directly where that is possible.

-Hilko

This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-Re: [exim-dev] What user should ${run...} in config file run as?Re: [exim-dev] What user should ${run...} in config file run as?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)