-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, Feb 26, 2007 at 08:48:15PM -0500, Jim Perrin wrote:
OTOH anything bad you can do with /tmp you can do better with /var/tmp, and making that noexec is not a realistic proposition.
Very true, but applications like apache/php use /tmp as their default scratch/upload space.
Thank you by saying "default".
This is one thing I think should be watched carefully. I for one make sure not only /tmp is mounted noexec, but also that apache can't write to it:
On one of my servers (webserver mainly):
/dev/sda3 on /tmp type ext3 (rw,noexec,nosuid,nodev,acl)
$ getfacl /tmp | grep apache getfacl: Removing leading '/' from absolute path names user:apache:--- default:user:apache:---
This kind of setup can save you a world of trouble/headaches.
[]s
- -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)