outgoing port block on fedorapeople.org
Mike McGrath
mmcgrath at redhat.com
Tue Aug 3 13:42:37 UTC 2010
On Tue, 3 Aug 2010, seth vidal wrote:
> On Tue, 2010-08-03 at 06:20 -0500, Jason L Tibbitts III wrote:
> > >>>>> "JvM" == Jeroen van Meeuwen <kanarip at kanarip.com> writes:
> >
> > JvM> Is any outbound NEW connection supposed to be used from
> > JvM> fedorapeople.org accept maybe for a few named sockets on trusted
> > JvM> remote hosts?
> >
> > Well, some might think it reasonable to pull content to fedorapeople
> > (wget, scp run on fedorapeople pulling from remote sites) instead of
> > forcing content to be pushed. Which would argue for outbound http and
> > ssh ports, I guess. Should be easy to just say no to that kind of
> > thing, though, if the intent is to lock it down.
> >
> > I also wonder if mounting user-writable filesystems as noexec would be
> > reasonable.
> >
>
> they are noexec - the user uses a python based irc bot and just ran it
> using:
> python scriptname.
>
I wonder how much pain chmod o-x /usr/bin/python would cause :)
-Mike
More information about the infrastructure
mailing list