Hemmann, Volker Armin wrote: > On Friday 17 February 2006 07:33, Alexander Skwar wrote: >> Hemmann, Volker Armin wrote: >> > On Thursday 16 February 2006 20:40, Alexander Skwar wrote: >> >> Hemmann, Volker Armin wrote: >> >> > On Thursday 16 February 2006 17:18, Alexander Skwar wrote: >> >> >> Hemmann, Volker Armin wrote: >> >> >> > On Thursday 16 February 2006 15:45, Alexander Skwar wrote: >> >> >> >> Hemmann, Volker Armin wrote: >> >> >> >> > On Thursday 16 February 2006 14:06, Alexander Skwar wrote: >> >> >> >> >> Izar Ilun wrote: >> >> >> > >> >> >> > Why should he make /tmp noexec, >> >> >> >> >> >> Security precaution. >> >> > >> >> > if you have 10+ users with access to the box. But a workstation, >> >> > without even sshd running, it is not needed. >> >> >> >> "needed" - What's "needed", anyway? >> >> >> >> > And hey, why should /tmp noexec save you from anything? >> >> >> >> Because it does. >> > >> > so? how? >> >> Think, you might find out. What does noexec do, hm? >> >> Even *you* might find out... >> >> Well... If I think about it... No, you're too clueless >> to find out. >> >> Hint 1: "noexec" nowadays makes it impossible to execute >> programs stored on that filesystem. > > I know,
Obviously not. > but it won't save you from anything. It does. Like I said. > After a user got in, Then it is too late. noexec can save you exactly here. > he is a user. And every user has a place with write > permission (if he is user apache/httpd he has lots of places, where he can > store code). No, he doesn't. > Outside of /tmp. Wrong. > You see - it doesn't help you anything. I see that you don't know what you're talking about. >> Hint 2: /tmp (and /var/tmp) are (hopefully) the only places >> where everybody can write. > > an attacker does not need a place, where everybody can write. He just needs > SOME place, where he can write - like the home-directory of the user he just > corrumpted. But to gain access, most attacks need a place to write. > Also, he can disrupt your system, by just filling up /tmp. No code needed for > that. True. /var/log might be even easier. >> True. /var/tmp is a link to /tmp on my system. And if not, /var/tmp >> could also easily be a seperate fs. > and another partition ..,. Hint: A link is not a partition. And even if it were another filesystem - who cares? >> >> >> Ah. Please explain how you mount /tmp noexec and /usr >> >> >> readonly. >> >> > >> >> > I don't because it is wasted effort. >> >> >> >> Of course it's not. >> > >> > yes it is. >> >> Jaja. Just because you've got problems, it doesn't mean >> that there ARE problems. > > it is wasted: if he has so many rights, that he could write to /usr, he has > enough rights to remount it. Of course not. Having write permissions doesn't mean that somebody is root. Answer the question. > and /tmp is not needed, as soon as you have breaken into the box. Exactly - *as* *soon*. > So, noexec and ro /usr will save you from nothing. Wrong. >> No, it's not. Write permissions don't mean, that somebody is root. > > in my /usr, yes it does. Fine - who cares? >> > yes really, you have to remount /usr everytime you update something. >> >> Jaja. You know, your exaggerations become boring... > > because it is true? No, it's not. > show me, how do you update something residing in /usr without remounting. I don't. >> c) Boot a rescue system like Knoppix and clean /tmp. > > yeah! but why boot from a boot-cd, if you don't have to? (hint: Don't let it happen in the first place. /tmp not on > its own, small partition) Bad advice. >> >> >> I see. Strange thing is, that about every server and workstation >> >> >> I've seen more or less contradicts what you say. >> >> > >> >> > if you have 20+ users on each of them, and every single one is a >> >> > little cracker in disguisse, it may make sense, but for a single user >> >> > box? >> >> >> >> Why are you asking? >> > >> > because you are the one starting with 'server' and 'workstations' >> >> Correct. So what? Why are you asking? >> >> > and the OP >> > never talked about one or the other. >> >> His system MUST be the one or the other. > > nope, Wrong. > there is a third category: personal computer (also called home > computer). Which is the WS class. >> >> > If every partition takes a second, it will be very noticable. >> >> >> >> Hardly. (Notice that I'm not saying "No".) >> > >> > if mounting becomes the major 'hold up' in your booting process, it >> > becomes VERY noticable. >> >> Jaja. Do you actually expect to be taken seriously? > > not from you. Fine. > From thois mailing list I learnt, that if someone is not on your > side, the person is wrong. If you say so. >> > I have been there, >> >> I doubt that. > > Why should I lie? I've got no idea. But you obviously do. > I had 3 ibm harddisks 1x10Gb,2x40gb one seagate 20gb and all and everything > on > its own partition. > And it was hell after a while. Because you overdid it: "all and everything on its own partition". >> > More harddisks=bigger chance that one of them dies. >> >> True. So? What does this have to do with the fact, that the >> available hd's are too small? Just as a reminder - that's >> the scenario YOU are talking about. > > becuase you started with 'buy more harddisks' As you started with "not enough space". In your world, how do you get more space? > >> >> > It is simple math. >> >> >> >> *LOL* _You_ should not talk about maths :) >> > >> > you obviously don't understand simple statistics. >> >> Seems like. But maybe it's just, that I've got problems >> following your nonsense, hm? > > you mean your nonesense? No. I meant the nonesense that you write. Learn to read. > Yep, it is hard to deal with you. I'm just as anal as you are. Alexander Skwar -- Your happiness is intertwined with your outlook on life. -- gentoo-user@gentoo.org mailing list