Hilko Bengen wrote: > * W B Hacker: > >> - ALL? Per OpenBSD practice, the production FreeBSD boxen now mount /var, and >> /<the mailstore> as noexec, nosuid. >> >> I'd call that one an 'ALL' until someone points out what it harms, and WHY >> that >> critter is allowed to<whatever>... > > On a Linux (Debian) box > > # mount --bind /var/spool/exim4 /var/spool/exim4 > # mount -oremount,noexec,nosuid /var/spool/exim4 > > should make at least the mail store unusable for dropping executables.
+1 ACK - spool / queue anyway. (my mailstore never has been in /var) > Of course, this doesn't help against executing dropped shell scripts It may do so to some extent. 'depends on (other externals..) ++...' > and > calling ld.so directly where that is possible. > Whole 'nuther can of worms, that one ... > -Hilko > > IMNSHO, there needs to be a gathering of Penguins on that score. Reasonably OS-agnostic, I'm of the opinion that comparable levels of expertise and paranoia can 'harden' a Linbox or *BSD box to approximately the same degree. But I personally have to plead ignorance on 'how so' outside of *BSD land, so - .. given that - AFAIK - Exim is more often riding on Linux than not, some research and write ups from those who DO know, seem to be a good idea. I *hope* to (eventually) see Exim able to not-ever need 'root' privs, but meanwhile. and more realistically, 'belt AND braces' .... Thanks, Bill -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
