Stuart Henderson writes:
> I think you'd need to disable mount completely, otherwise you can mount
> a new writable filesystem (e.g. MFS) that doesn't have noexec.
Yeah, I completely missed that vector. And really, that makes more
sense. How often do you live mount filesystems on a firewall?
Thanks for the reply..
Good one, try to think I was sure it was meaning
many western right wingers (cats) vs 1 jelly fish (cattle).
Then, when I have time I explain what is coudardy..
-Dan
Mar 26, 2024 11:06:17 Alexis :
> Dan writes:
>
>> I'm curious John Doe.. you said cloud but not
Dan writes:
I'm curious John Doe.. you said cloud but not firewall, and
cattle but
not pets, right?
As with a number of your posts, i'm not clear on what you're
saying or asking, but for those wondering, here's an explanation
of "cattle vs pets" in the context of computing infrastructure:
On 2024-03-25, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote:
> I am curious to hear peoples thoughts on adding some mount(2)
> hardening when the system is running at securelevel 2. Specifically:
>
> * do not allow removing MT_NODEV, MT_NOEXEC, MT_NOSUID,
> or MT_RDONLY in conjunction
I'm curious John Doe.. you said cloud but not firewall, and cattle but not
pets, right?
You are a strange anglophon western toddler..
-Dan
Mar 25, 2024 23:41:44 jslee :
> On Tue, 26 Mar 2024, at 04:30, Dan wrote:
>> Eventually, having the kernel possibility to customize the config path
>>
On Tue, 26 Mar 2024, at 04:30, Dan wrote:
> Eventually, having the kernel possibility to customize the config path
> from /etc in eg /heroxyz
> could be helpful for a firewall, what do you think?
Everything you to complicate ongoing admin will hinder your maintenance and IMO
this will make your
Eventually, having the kernel possibility to customize the config path from
/etc in eg /heroxyz
could be helpful for a firewall, what do you think? :-)
-Dan
Mar 25, 2024 18:06:10 Dan :
>> /etc is always going to be problematic. I've been experimenting
>> to see if I can create a viable
Lyndon Nerenberg (VE7TFX/VE6BBM) :
> /etc is always going to be problematic. I've been experimenting
> to see if I can create a viable firewall config with a read-only
> root filesystem.
I do not know what do you mean by "experimenting if", and if you finally
realized your purpose.. but
Omar Polo writes:
> or they can just upload to /usr/local or /home, or mess with /etc, or...
> I don't see how this would help.
It's another layer to make things more difficult.
If the writable filesystems are noexec and they can't take that
away, uploads become less valuable.
/etc is always
On 2024/03/24 19:01:00 -0700, "Lyndon Nerenberg (VE7TFX/VE6BBM)"
wrote:
> I am curious to hear peoples thoughts on adding some mount(2)
> hardening when the system is running at securelevel 2. Specifically:
>
> * do not allow removing MT_NODEV, MT_NOEXEC, MT_NOSUID,
> or
I am curious to hear peoples thoughts on adding some mount(2)
hardening when the system is running at securelevel 2. Specifically:
* do not allow removing MT_NODEV, MT_NOEXEC, MT_NOSUID,
or MT_RDONLY in conjunction with MNT_UPDATE
* do not allow MNT_WXALLOWED in
11 matches
Mail list logo