Author: W B Hacker Date: To: Hilko Bengen CC: exim-dev Subject: Re: [exim-dev] External barriers to privilege escalation
Hilko Bengen wrote: > * W B Hacker:
>
>> - ALL? Per OpenBSD practice, the production FreeBSD boxen now mount /var, and
>> /<the mailstore> as noexec, nosuid.
>>
>> I'd call that one an 'ALL' until someone points out what it harms, and WHY that
>> critter is allowed to<whatever>...
>
> On a Linux (Debian) box
>
> # mount --bind /var/spool/exim4 /var/spool/exim4
> # mount -oremount,noexec,nosuid /var/spool/exim4
>
> should make at least the mail store unusable for dropping executables.
+1 ACK - spool / queue anyway. (my mailstore never has been in /var)
> Of course, this doesn't help against executing dropped shell scripts
It may do so to some extent. 'depends on (other externals..) ++...'
> and
> calling ld.so directly where that is possible.
>
Whole 'nuther can of worms, that one ...
> -Hilko
>
>
IMNSHO, there needs to be a gathering of Penguins on that score.
Reasonably OS-agnostic, I'm of the opinion that comparable levels of expertise
and paranoia can 'harden' a Linbox or *BSD box to approximately the same degree.
But I personally have to plead ignorance on 'how so' outside of *BSD land, so -
.. given that - AFAIK - Exim is more often riding on Linux than not, some
research and write ups from those who DO know, seem to be a good idea.
I *hope* to (eventually) see Exim able to not-ever need 'root' privs, but
meanwhile. and more realistically, 'belt AND braces' ....
