home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
linuxmafia.com 2016
/
linuxmafia.com.tar
/
linuxmafia.com
/
kb
/
Debian
/
read-only-usr
< prev
next >
Wrap
Internet Message Format
|
2010-12-20
|
1KB
Date: Tue, 21 Dec 2010 23:19:37 +0100
From: Martin Zobel-Helas <zobel@ftbfs.de>
To: Vladislav Kurz <vladislav.kurz@webstep.net>
Cc: debian-security@lists.debian.org
Subject: Re: Long Exim break-in analysis
X-Mailing-List: <debian-security@lists.debian.org> archive/latest/24247
Hi,
On Tue Dec 21, 2010 at 23:07:37 +0100, Vladislav Kurz wrote:
> Lessons learned:
> 1. subscribe to DSA and run apt-get
> 2. /var/spool, /var/tmp, /tmp and other places where unprivileged
> users can write, should be mounted nosuid and even better noexec. It
> seems that this could prevent the attack, or at least make it much
> more difficult.
>
> As for point 2. it's a pity that dpkg is using /tmp and /var/lib/dpkg/
> to run scripts during installation and removal of packages. It would
> be nice if whole /var could be mounted noexec.
# cat apt.conf.d/01remount
DPkg::Pre-Invoke {"if mount | awk '{print $3}' | grep -q '^/tmp$'; then /bin/mount -o remount,exec /tmp; fi";};
DPkg::Post-Invoke {"if mount | awk '{print $3}' | grep -q '^/tmp$'; then /bin/mount -o remount,noexec /tmp; fi";};
--
Martin Zobel-Helas <zobel@debian.org> | Debian System Administrator
Debian & GNU/Linux Developer | Debian Listmaster
Public key http://zobel.ftbfs.de/5d64f870.asc - KeyID: 5D64 F870
GPG Fingerprint: 5DB3 1301 375A A50F 07E7 302F 493E FB8E 5D64 F870