On Mon, 13 Dec 2004, Marek Podmaka wrote: > Yes, I have been doing the same with /tmp, but some debian packages > won't install on noexec /tmp. But there are other directorieso n my > system which are world writable - for example /var/tmp and > /var/lock.
If you can make /tmp noexec, you can also make /var/tmp and /var/lock noexec. File wishlist bugs against packages that run stuff in /tmp, request that the maintainer not close it but rather mark it "wontfix" if he doesn't want to fix the bug (so that we can find which packages do not support noexec /tmp). Use a consistent subject for this (e.g.: <foo>: does not suport noexec /tmp) > Can entire /var be mounted noexec? No. It will break all chroots, and also dpkg. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
