Security Breach ?
Guy Fraser
guy at incentre.net
Thu Mar 3 18:02:51 UTC 2005
On Thu, 2005-03-03 at 12:26 +0000, Paul Howarth wrote:
> Thomas Zehetbauer wrote:
> > On Thu, 2005-03-03 at 08:18 +0000, Paul Howarth wrote:
> >
> >>You don't say which distribution this web server was running, but I
> >>suspect that if your Apache had been running under SELinux then the
> >>attacker would not have been able to run any scripts from /tmp
> >>or /var/tmp. So, when you rebuild the server, it would be well worth
> >>considering using SELinux.
> >
> >
> > You don't need SELinux for this, you could always mount /tmp with noexec
> > flag.
>
> And /var too, provided they're separate partitions. Another good reason
> not to install into just one big / partition.
>
> Paul.
All good points, but most people on this list are likely
scratching there heads wondering what you are talking about.
I have not had a chance to read up on SELinux, but it is available
to the average person on this list to enable and from what I have
heard can provide an extra measure of security. If more secure
mount options were configured at install some of these issues could
be alleviated, but by default there are too few partitions created
to make this possible. On a regular basis I deal with "Experts" who
run servers with more holes than a spaghetti strainer. If SELinux
can make it simple to assist in "hardening" a server, then it may
be a better solution than adding a noexec flag to a partition that
is not created by any default install options. Since most people
install with only two or three partitions including the swap
partition, they would have to reinstall to implement secure mount
options.
More information about the users
mailing list