Re: Swap Considerations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Feb 26, 2007 at 08:48:15PM -0500, Jim Perrin wrote:
> 
> >OTOH anything bad you can do with /tmp you can do better with /var/tmp,
> >and making that noexec is not a realistic proposition.
> 
> Very true, but applications like apache/php use /tmp as their default
> scratch/upload space. 

Thank you by saying "default".

This is one thing I think should be watched carefully. I for one make sure
not only /tmp is mounted noexec, but also that apache can't write to it:

On one of my servers (webserver mainly):

/dev/sda3 on /tmp type ext3 (rw,noexec,nosuid,nodev,acl)

$ getfacl /tmp | grep apache
getfacl: Removing leading '/' from absolute path names
user:apache:---
default:user:apache:---

This kind of setup can save you a world of trouble/headaches.

[]s

- -- 
Rodrigo Barbosa
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFF4+espdyWzQ5b5ckRAnrFAKClVK3OX1Qz4iv1gDvimZSXzEpezQCgoOP4
NhUnwZL3DxSkfMQjRNlOTbk=
=ATDr
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux