"Voytek Eymont" <[EMAIL PROTECTED]> writes:
> I'm setting up a new LAMP server with Centos 5.2;
>
> in the past, whilst discussing undesirable intrusions through like CMS
> vulnerabilities it was suggested to set up /tmp ion a separate partition,
> set as non executable,
>
> is that still a good idea ?
As much as it ever was, yes, which is to say: it is worth next to
nothing, so the effort involved is almost certainly not well invested.
> how much space to assign to /tmp on a 150GB HD?
I would use a tmpfs, which provides natural and sensible limits.
> how do I make it non executable?
Set the noexec flag.
However, keep in mind that this will not work for anything run with an
interpreter, which includes normal ELF executables, because you can
invoke the interpreter (outside /tmp) directly.
If you have a noexec /tmp, try this:
cp /bin/ls /tmp/ls
/tmp/ls # fails
/lib/ld-linux.so.2 /tmp/ls # works
# you may need ld-linux-x86-64.so.2 on some distributions
While a non-exec /tmp may help you against attacks that don't work
around this issue[1], but it doesn't actually stop a successful attack.
Oh, and don't forget /var/tmp, and any other world-writable directories
on your machine, while you are about it.
Regards,
Daniel
Footnotes:
[1] Approximately zero, in my experience, but yours may vary.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
