-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/27/12 08:48, Yves-Alexis Perez wrote: > On mar., 2012-03-27 at 14:18 +0300, Rares Aioanei wrote: >> I see that as a myth. Look at it this way: if an attacker already has >> access to your machine, he/she can install anything he/she wants, >> including compilers, interpreters, whatever. > > A good way to prevent that is to enforce W^X. There are various kernel > ways to do that (MAC, Grsec trusted execution path), but also at mount > time, it might be interesting to not have rw and exec on the same > filesystem. > > Regards, I'd advise doing this or at *least marking home and tmp folders noexec! One could still nullify this, fuse and executing anonymous files are two things to try.
/usr does not have to have the permissions that would allow users to write there and / and /var don't needed exec either, though that might not be totally true. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPdT2KAAoJEOPRqa2O3KuKNf8P/2vesr8EkmB55rHAS5qlYNed Ib/XItmsO6cS4YCG7s/Ilqh1OWGmZlT0FqJJzCYkrfMQ1/QmFo2kQc+ti0FjPknA zJU0DklhUrmrii0bAhtnZL30fqS8Mqq08+WKoxudPcmIg3J6CRPSdWqxQIpPQ/He q4gDCfGvUgD/aLR+dk/PsMPV6uaGo+T0bhBTT3cD2lMaYiJdws1jdedBqDZOy7yk ryPMNxcCX5DEAbrpwDfj0XsT9jcvtAnu7z59ypnqDOPyrS7iwOxayqMLD/pRmoiz jv6srJu2lSkojHhnw14uyGHvXxZAxoKJqzQaD7MpzQtvVcxiuFfy68xkI/gyfXS0 SCpaDCpqzZYiwElwT8a87fAJycIyg1URUwZ1YYUzppOzsNLC3j3Giq9bc9hEmIry UhJzfv3OFuz0Ajk/66jEq+e1LS0euayKyOVlP0ffl0raNqNWzxDq0dQk5aGJaify 5b4qBpA4UvcpkZq1UZPAZKIJL8I4Gu3Ro9v1tT2LArjDwLbRzHku0PYy24Zc+/YN AiNb9zw1MJJzEIWbwGRohHqESFl6fD0cOYZEjp4mDvODDGA2vx0MNEljolFKZqEg fB055QQCqiUhPxiszLIVKWgzL/HJqaxn2DfwM/S7EOZXDN5B6M4FmVMoAiU3hm36 yUiYlMUZpdQQg/c1U2yM =MuIi -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f753d92.8000...@mikemestnik.net
