http://blog.lathi.net/articles/2005/11/08/noexec-for-security en-us 40 On Life, Fatherhood, Christianity, and Computers <p>I don&#8217;t know why I didn&#8217;t think of this myself, but I just changed <code>/tmp</code> to mount <code>noexec</code>. Lately I&#8217;ve been having problems on my server with clients uploading stuff to their <code>/cgi-bin/</code> or <span class="caps">PHP</span> code to their docroot that has security vulnerabilities. I don&#8217;t have anything in place (yet!) to monitor what they upload, so I&#8217;m caught by surprise when something happens.</p> <p>Changing <code>/tmp</code> to <code>noexec</code> is an obvious improvement. My web server doesn&#8217;t run as root, so <code>/tmp</code> is a common place for exploits to download, compile and run stuff. The <code>noexec</code> option cuts that last step off. Assuming I&#8217;m not the last sys admin to figure this out, I encourage you to do the same.</p> <p>By the way, it turned out to be very simple to affect the change after editing the <code>/etc/fstab</code>:</p> <blockquote> <code> sudo mount -o remount /tmp </code> </blockquote> <p>Now on to write some report that will let me know what stuff my clients have installed&#8230;</p> Tue, 08 Nov 2005 05:27:07 -0600 urn:uuid:5fcf1754-1efc-4f84-90f8-a439f62d3f64 Doug http://blog.lathi.net/articles/2005/11/08/noexec-for-security System Administration Security noexec <p><a href="http://lists.debian.org/debian-glibc/2003/10/msg00539.html" rel="nofollow">http://lists.debian.org/debian-glibc/2003/10/msg00539.html</a></p> Thu, 10 Nov 2005 08:57:31 -0600 urn:uuid:8f8f56e8-9692-4574-ae3a-f31a6336c38d http://blog.lathi.net/articles/2005/11/08/noexec-for-security#comment-95