This is more of an F-MY-I question, but if the /tem dir is a separate partition and your using a mount command in fstab, could you limit the execute capabilities via umask?
I would think umask=111 would set the directory world read and write with no Execute permissions *NOTE* I don't fully understand umask number permissions other than the effect that they are reverse of chmod numbers and 000 is world read/write/execute, since execute is value 1 in chmod I assume by counting 111 your telling umask to EXCLUDE execute, may need to look up umask values TeddyB -----Original Message----- From: Sven Joachim <svenj...@gmx.de> Date: Fri, 12 Nov 2010 22:29:08 To: <debian-user@lists.debian.org> Subject: Re: Making /tmp noexec On 2010-11-12 14:30 +0100, James Allsopp wrote: > Hi, > I was reading this page about making tmp non-executable > (http://pario.no/2007/10/04/making-tmp-non-executable/) but it seems a > little out of date as I'm using Squeeze. > > I changed fstab, and edited by 70debconf to > > DPkg::Pre-Install-Pkgs {"mount -o remount,exec > /tmp";"/usr/sbin/dpkg-preconfigure --apt || true";}; > DPkg::Post-Invoke{"mount -o remount /tmp";}; A better option would be to set APT::ExtractTemplates::TempDir to a directory where programs can be executed. See apt-extracttemplates(1). > is this correct? Aptitude still works fine, but I was wondering if > anyone had experience of pitfalls with this? While dpkg is running, programs in /tmp are executable. If you're paranoid enough, this may worry you. > Would I replicate this for my /var partition If you do this, you have to relocate /var/lib/dpkg/info to another filesystem and bind-mount or symlink it so that the package maintainer scripts can be run. > and is there any point to doing this with /home? It may help a little if you cannot trust your users, but note that they can still run (at least) shell, perl and awk scripts by invoking the interpreter. Sven -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8739r65izf....@turtle.gmx.de
