Am 24.04.2013 18:12, schrieb Tanstaafl: > On 2013-04-24 11:31 AM, Florian Philipp <li...@binarywings.net> wrote: >> Am 24.04.2013 17:12, schrieb Tanstaafl: >>> Ok, but - does it make sense to add the noexec option to /var/tmp? Is it >>> possible that there are other apps that need exec capability in there? > >> It makes sense. Any world-writable directory should be noexec to make >> script injection harder. Other directories, too, like /var/www (if you >> can, i.e. no cgi). I cannot tell you if any application might need it. >> Try it. It is easy enough to revert, maybe even with a `mount -o >> remount`, I'm not sure. >> >> Also, look at >> http://serverfault.com/questions/72356/how-useful-is-mounting-tmp-noexec > > Hmmm, this only talks about /tmp... I'm talking about /var/tmp... > > So, I guess you're right, I'll just need to try it and see... >
Just stumbled across this: http://blog.siphos.be/2013/04/securely-handling-libffi/ Might be relevant, might be not. Regards, Florian Philipp
signature.asc
Description: OpenPGP digital signature
