Security Breach ?

[Guy Fraser]

On Thu, 2005-03-03 at 12:26 +0000, Paul Howarth wrote:
> Thomas Zehetbauer wrote:
> > On Thu, 2005-03-03 at 08:18 +0000, Paul Howarth wrote:
> > 
> >>You don't say which distribution this web server was running, but I
> >>suspect that if your Apache had been running under SELinux then the
> >>attacker would not have been able to run any scripts from /tmp
> >>or /var/tmp. So, when you rebuild the server, it would be well worth
> >>considering using SELinux.
> > 
> > 
> > You don't need SELinux for this, you could always mount /tmp with noexec
> > flag.
> 
> And /var too, provided they're separate partitions. Another good reason 
> not to install into just one big / partition.
> 
> Paul.
All good points, but most people on this list are likely 
scratching there heads wondering what you are talking about.

I have not had a chance to read up on SELinux, but it is available 
to the average person on this list to enable and from what I have 
heard can provide an extra measure of security. If more secure 
mount options were configured at install some of these issues could 
be alleviated, but by default there are too few partitions created 
to make this possible. On a regular basis I deal with "Experts" who 
run servers with more holes than a spaghetti strainer. If SELinux 
can make it simple to assist in "hardening" a server, then it may 
be a better solution than adding a noexec flag to a partition that 
is not created by any default install options. Since most people 
install with only two or three partitions including the swap 
partition, they would have to reinstall to implement secure mount
options.