strange software installation problem
Fraser Campbell
fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org
Tue Jan 13 17:31:36 UTC 2004
On Tuesday 13 January 2004 11:32, Tim Writer wrote:
> Alex Maynard <amaynard-vQ8rsROW2HJSpjfjxSPG1fd9D2ou9A/h at public.gmane.org> writes:
> > Is it a good idea to add something like "exec" into the /etc/fstab? Are
> > there many viruses spread by cdrom?
>
> That depends. If you use the user option with your cdrom in /etc/fstab
> then _any_ user of the system can mount a cdrom. If you trust all your
> users, (e.g. if this is your home system), adding exec is safe. Otherwise,
> it's another potential avenue of attack. Of course, noexec doesn't buy you
> much additional security as most users will have access to a file system
> (like /home) where they can execute binaries. So, it's simple enough to
> copy a program from the CD to their home.
One place where I think noexec is useful is /tmp. Unless you chroot a daemon
it can write to /tmp ... making /tmp nosuid and noexec makes life a little
harder for people to write exploits/worms like slapper.
I'm getting more and more paranoid by the day. Last night someone scanned my
server and tried 60 ftp logins in about 50 seconds (several per second)
obviously using a list of predefined usernames and an automated procedure to
connect.
I mount /usr rw and /tmp as noexec,nosuid on all of my Debian systems
(desktops and servers). You have to remount /tmp with the exec option and
/usr rw (obviously) for package upgrades but I have not found any problem
with those settings in normal operation.
--
Fraser Campbell <fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org> http://www.wehave.net/
Georgetown, Ontario, Canada Debian GNU/Linux
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list