Joe Knall wrote: > When I get you right, you mean the P in Lamp makes these limitations > (ro, noexec, nodev, chroot ...) nonsense.
only the noexec is defeated from scripts, ro nodev chrooting are obviously safe from this ..but.. noexec on linux is futile since you could use /lib/ld-linux.so to exec bins on a noexec mount point if you make ld-linux.so -x then you have to rebuild all binaries statically linked : ) ..so.. it's better to get some acl/rbac system like grsec+pax and (rsbac or selinux) to get sure things happens right yes, it could be some time expensive to write/adapt the rules to your current system but it worth the effort regards, Francesco 'ascii' Ongaro http://www.ush.it/ -- [email protected] mailing list
