trying out older (read-only, noexec, mount) security methods
Paul Howarth
paul at city-fan.org
Fri Nov 11 12:19:09 UTC 2005
Tim wrote:
> James Wilkinson:
>
>>I've got /tmp mounted nodev,noexec (and should probably mount /var the
>>same way).
>
>
> Well, I've found my first problem: Mounting /var with "noexec" means
> that CGI scripts won't run for the web server. Took me a few minutes of
> headscratching to realise what had gone wrong, as is the way when the
> problem happens some time after a change. I've temporarily removed
> "noexec" while I consider if I should move the /var/www/cgi-bin/
> directory out of /var.
That's the approach I took, though if you do this you'll need to make
sure that the new location retains the "httpd_sys_script_exec_t" SELinux
context.
Paul.
More information about the users
mailing list