On Tue, 2010-08-03 at 08:42 -0500, Mike McGrath wrote: > On Tue, 3 Aug 2010, seth vidal wrote: > > > On Tue, 2010-08-03 at 06:20 -0500, Jason L Tibbitts III wrote: > > > >>>>> "JvM" == Jeroen van Meeuwen <kanarip@xxxxxxxxxxx> writes: > > > > > > JvM> Is any outbound NEW connection supposed to be used from > > > JvM> fedorapeople.org accept maybe for a few named sockets on trusted > > > JvM> remote hosts? > > > > > > Well, some might think it reasonable to pull content to fedorapeople > > > (wget, scp run on fedorapeople pulling from remote sites) instead of > > > forcing content to be pushed. Which would argue for outbound http and > > > ssh ports, I guess. Should be easy to just say no to that kind of > > > thing, though, if the intent is to lock it down. > > > > > > I also wonder if mounting user-writable filesystems as noexec would be > > > reasonable. > > > > > > > they are noexec - the user uses a python based irc bot and just ran it > > using: > > python scriptname. > > > > I wonder how much pain chmod o-x /usr/bin/python would cause :) > would newrepo work still work? -sv _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
