Re: [exim-dev] External barriers to privilege escalation

Góra strony
Delete this message
Reply to this message
Autor: W B Hacker
Data:  
Dla: Hilko Bengen
CC: exim-dev
Temat: Re: [exim-dev] External barriers to privilege escalation
Hilko Bengen wrote:
> * W B Hacker:
>
>> - ALL? Per OpenBSD practice, the production FreeBSD boxen now mount /var, and
>> /<the mailstore> as noexec, nosuid.
>>
>> I'd call that one an 'ALL' until someone points out what it harms, and WHY that
>> critter is allowed to<whatever>...
>
> On a Linux (Debian) box
>
> # mount --bind /var/spool/exim4 /var/spool/exim4
> # mount -oremount,noexec,nosuid /var/spool/exim4
>
> should make at least the mail store unusable for dropping executables.


+1 ACK - spool / queue anyway. (my mailstore never has been in /var)

> Of course, this doesn't help against executing dropped shell scripts


It may do so to some extent. 'depends on (other externals..) ++...'

> and
> calling ld.so directly where that is possible.
>


Whole 'nuther can of worms, that one ...

> -Hilko
>
>


IMNSHO, there needs to be a gathering of Penguins on that score.

Reasonably OS-agnostic, I'm of the opinion that comparable levels of expertise
and paranoia can 'harden' a Linbox or *BSD box to approximately the same degree.

But I personally have to plead ignorance on 'how so' outside of *BSD land, so -

.. given that - AFAIK - Exim is more often riding on Linux than not, some
research and write ups from those who DO know, seem to be a good idea.

I *hope* to (eventually) see Exim able to not-ever need 'root' privs, but
meanwhile. and more realistically, 'belt AND braces' ....

Thanks,

Bill