Re: [exim-dev] External barriers to privilege escalation

Páxina inicial
Esta mensaxe é parte do seguinte fío:
MÁrbore completa do fío ordenada por data
MW B Hacker o <-
MW B Hacker o ->
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Hilko Bengen
Data:  
Para: exim-dev
Asunto: Re: [exim-dev] External barriers to privilege escalation
* W B Hacker:

> - ALL? Per OpenBSD practice, the production FreeBSD boxen now mount /var, and
> /<the mailstore> as noexec, nosuid.
>
> I'd call that one an 'ALL' until someone points out what it harms, and WHY that
> critter is allowed to <whatever>...

On a Linux (Debian) box

# mount --bind /var/spool/exim4 /var/spool/exim4
# mount -oremount,noexec,nosuid /var/spool/exim4

should make at least the mail store unusable for dropping executables.
Of course, this doesn't help against executing dropped shell scripts and
calling ld.so directly where that is possible.

-Hilko

Esta mensaxe foi enviada ás seguintes listas:
Exim-dev
Información da lista | Mensaxes recentes		<-Re: [exim-dev] What user should ${run...} in config file run as?Re: [exim-dev] What user should ${run...} in config file run as?->
Tahini and Hummus and Cumin Development Archives administrado por cumin AdminsLurker (versión 2.3)