AbbaComm.Net wrote:
Agreed, i would though add a /tmp of 10G or so, mounted as noexec and
nosuid for web servers (running maybe insecure php apps or similar).
Dhawal,
Are you saying that in /etc/fstab that the entry should be changed from
LABEL=/tmp /tmp ext3 defaults 1 2
To
LABEL=/tmp /tmp ext3 noop,noexec,nosuid,rw 1 2
minus the noop, which i'm not aware of..
LABEL=/tmp /tmp ext3 noexec,nosuid,rw 1 2
Or do you do something slightly different?
Any drawbacks you have noticed on an internet facing web and mail server?
One some servers, we've had buggy/older versions of software like phpbb,
awstats being exploited to to run rootkits from /tmp (OR /var/tmp),
where the web server has write access. Tuning off exec has helped in
letting the rootkit not get executed. No drawbacks so far, i can
possibly only think of some log-reporting utility using /tmp for temp
access filling it up.. but 10G ought to be sufficient in most cases if
not make it larger..
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
