Hello all,
I am setting up a server where users will have shell access (ssh). I want to prevent anyone from uploading and running their own binaries. The idea is simply to make sure that all partitions where users have write access will be mounted with the noexec flag. My only problem is /tmp (which is also a separate partition), where the users will have write access since they have a shell.
Is it safe to mount /tmp with noexec too? Or will it break any programs - if so which? The server runs lots of stuff; apache/php, samba, cvs, qmail + courier-imap + fetchmail + procmail for mail system, named, dhcp, sshd, (i may have forgotten some).
Any experience and comments are welcome
http://www.securityportal.com/lskb/articles/kben10000036.html mounting /tmp noexec will break very little (in my opinion anything that moves/copies binaries to tmp and then executes them is broken). It shouldn't be a problem. You should also look into PAM to restrict what users can do: http://www.sysadminmag.com/current/feature.shtml
Thanks,
Simon
Kurt Seifried SecurityPortal, your focal point for security on the net http://www.securityportal.com/