On 29/11/99 aphro wrote:

id suggest making the compiler(s) runable only by root(same for
the libraries the compilers use)

i suppose, but that takes the fun out of the system :-)

make users home dirs on another partition
mounted with at least the noexec option and make sure there is no
directories writable by users(like /tmp) on a partition that is not
mounted with such options.

unfortunately this is easier said then done, the /var filesystem cannot be made noexec without problems and its littered with world writable directories. if you remove tetex you get rid of about half a dozen, but that still leaves /var/tmp and /var/lock (why is /var/lock world writable on debian but not redhat??) i can make a partition for /var/tmp but not /var/lock!

also note that if you mount /var/tmp noexec root will have to remount it exec to install any .deb packages.

i personally just settle for nosuid on /var/tmp, /tmp /home, /var (/var sometimes has suids though check first)



Ethan Benson
To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/

Reply via email to