-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Feb 26, 2007 at 08:48:15PM -0500, Jim Perrin wrote: > > >OTOH anything bad you can do with /tmp you can do better with /var/tmp, > >and making that noexec is not a realistic proposition. > > Very true, but applications like apache/php use /tmp as their default > scratch/upload space. Thank you by saying "default". This is one thing I think should be watched carefully. I for one make sure not only /tmp is mounted noexec, but also that apache can't write to it: On one of my servers (webserver mainly): /dev/sda3 on /tmp type ext3 (rw,noexec,nosuid,nodev,acl) $ getfacl /tmp | grep apache getfacl: Removing leading '/' from absolute path names user:apache:--- default:user:apache:--- This kind of setup can save you a world of trouble/headaches. []s - -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFF4+espdyWzQ5b5ckRAnrFAKClVK3OX1Qz4iv1gDvimZSXzEpezQCgoOP4 NhUnwZL3DxSkfMQjRNlOTbk= =ATDr -----END PGP SIGNATURE-----