On Mon, Jul 14, 2003 at 11:28:50AM -0400, Matt Zimmerman wrote: > "Security" by obscurity isn't security.
I disagree that it's security through obscurity. It's just another layer of security, of making an attacker (theoretically) take that one extra step, making them work just a little bit harder to mess with your machine. I mount /tmp noexec and nosuid, and it's not broken anything on any of my Debian machines (or *bsd) machines yet. In the event that a package does want to execute code in /tmp, I'll just make unhappy noises at it and remount it for the duration of inst. In fact, all partitions that theoretically shouldn't have code being run on them, but require rw get noexec and nosuid (like /var/lib/cvs, or an ftpd root dir, etc). As for the ~/tmp or ~/.tmp commentary, I have no real opinion, but it seems like it'd be a lot of work to implement. :-) -- bda Cyberpunk is dead. Long live cyberpunk. http://mirrorshades.org
