Thread: If a managed server is hacked ... who's at fault?
View Single Post
Old 08-24-2006, 11:34 AM  
borked
Totally Borked
 
borked's Avatar
 
Industry Role:
Join Date: Feb 2005
Posts: 6,284
Quote:
Originally Posted by prodiac
The best way to protect against that is to set your /tmp dir to be noexec, and link your other tmp directories there as well.

So not only do you always want to make sure you have the latest updates of all scripts you are running, but you want to make sure your directory permissions are also secure, don't allow writing if it doesn't need to be. Be careful with setting stuff to 777, etc.
Just to clarify this point - securing /tmp with noexec is not simply a chmod permissions command - /tmp needs to be chmod 0777 or things'll start going whacky. You need to mount /tmp with
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

or something similar and have it constantly mounted with noexec from fstab.
__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)


All models are wrong, but some are useful. George E.P. Box. p202
borked is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote