dick hoogendijk wrote: > Today I read that /tmp always is "noexec". > That should probably be on linux, because on my fbsd-6.1 box it's "rw" > and that's it. > > Question: should I change /tmp to "rw,noexec" to be safer?
It will screw up your ability to do 'make buildworld', but other than that, is generally harmless. In order for something like that to be effective though, you'ld have to ensure that there weren't any world writeable directories on your system on partitions that allowed processes to be exec'd from them. Similarly you'ld have to ensure that any account liable to compromise does not have any directories around where it can write files and execute them from. Which is actually quite reasonable to do for most of the UIDs that exist solely to own network server processes. However, at that level of paranoia, judicious use of chroot(2) or jail(2) would be indicated -- so banishing network servers into corners of your disk space with no /tmp accessible on them at all. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
Description: OpenPGP digital signature