Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I was viewing a computer security related tutorial
Which one?
Quote:
Originally Posted by sulekha
, in it it is said that from a security standpoint partitions should be mounted as follows :-
Did it say what that would protect against?
Did you check those mount options with what 'man mount' says?
Did you check which applications in /usr have setuid / setgid set (/home and /tmp shouldn't contain binaries anyway)?
Did it say what it would not protect against?
You can also temporarily mount the partitions to see what happens. This should not cause any permanent damage and to reset simply use "-o remount" w/o args:
Code:
grep dev/ /proc/mounts | while read dev mp fs args; do
case "$mp" in
/usr|/tmp|/home)
mount $mp -o remount noexec,nosuid,$args
;;
esac;
done
So, where would you suggest an aspiring programmer should compile and execute his "Hello world" program if his personal machine is set up according to those recommendations?
So, where would you suggest an aspiring programmer should compile and execute his "Hello world" program if his personal machine is set up according to those recommendations?
That's an exception but a good one to note, thanks. It's also the reason I suggested the OP test things before making it permanent.
Distribution: K/Ubuntu 18.04-14.04, Scientific Linux 6.3-6.4, Android-x86, Pretty much all distros at one point...
Posts: 1,802
Rep:
Quote:
Originally Posted by rknichols
So, where would you suggest an aspiring programmer should compile and execute his "Hello world" program if his personal machine is set up according to those recommendations?
The /home partition is also a reasonable place to put binaries from sources that you have ANY doubts about (i.e.: Games, binary apps for VOIP that want to turn you machine into a super node, etc.).
On multi-user systems, especially, many userland programs would reside in the user account directories of their users in /home.
binaries from sources that you have ANY doubts about (..) On multi-user systems, especially, many userland programs would reside in the user account directories of their users in /home.
I'm not sure if you're aware of it but being able to introduce and run foreign binaries are what some classic compromises are made of. The fact its run from a users /home means nothing if that is all a local exploit needs. IMNSHO one simply should not run suspicious binaries unless using VM to sandbox it.
Apart from mount flags theres Trusted Path Execution, a feature unique to GRSecurity AFAIK, denying users one specific avenue to cause FOD.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.