-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Aug 09, 2006 at 12:37:36PM -0400, Drew Weaver wrote: > Not only it will use unsecure versions of many softwares and some > patches > of questionable safety, it will also stop you from using several method > of improving security (/tmp hardening with ACLs is just one example). > --- > > Not to sound silly but cPanel automatically secures the /tmp > directory since the end of last year. > > Some people disable it forcefully. If you call mounting it nodev,noexec securing it, yes true. Unfortunately, that won't stop perl scripts from running there, or people using it to store stuff there. Yes, nodev,noexec is better than nothing, but it is simply not enough (or close to enough) these days. That is why I use Posix ACLs to secure it these days. Apache simply can't write there. Ok, it is a bit of security through obscurity, since you have to reconfigure PHP to stop sessions on a different directory anyway, and a really determined hacker might eventually find it through some information disclosure bug, but at least you will stop the script kiddies and mid-level hackers. And, trust me, if you are facing a really skilled hacker, cPanel is just one of your worries. As a side not, I have started playing with SELinux to try and improve the security of my servers. My main problem is that you simply can't find a working rule set for Exim, and I'm working hard on creating one while learning SELinux at the same time. - -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE2hBtpdyWzQ5b5ckRAl8kAKC5fHGxirtaFVh88dd1WiDklHkYUgCdFa/+ BOdBzAZY0GPF6xU2Eiyq7Nc= =K+EQ -----END PGP SIGNATURE-----