[Asterisk-Users] Linux Partitions (before asterisk install)
Michiel van Baak
michiel at vanbaak.info
Sat Dec 17 16:36:28 MST 2005
On 00:03, Sun 18 Dec 05, Tzafrir Cohen wrote:
> On Sat, Dec 17, 2005 at 09:18:39PM +0100, Michiel van Baak wrote:
> > > > /home
> > >
> > > An asterisk system typically does not have users and need nt have a
> > > separate /home
> >
> > I disagree here.
> > You have at least 1 user to remotaly login to the system to
> > do some work on it. Think config changes etc.
> > In case of unauthorized access (ppl stole your password or
> > whatever) you will be glad you have /home on a seperate
> > partition that is mounted noexec,nosuid,nodev
>
> noexec? What will that give you against a user with a shell acount?
>
> tzafrir at boomtime:~/Proj/Debs/Netcat/netcat-1.10$
> $ cp /bin/ech /tmp/echonoexec
> $ chmod 644 /tmp/echonoexec
> $ ls -l /tmp/echonoexec
> -rw-r--r-- 1 tzafrir tzafrir 13912 2005-12-17 23:52 /tmp/echonoexec
> $ /lib/ld-linux.so.2 /tmp/echonoexec it runs!
> it runs!
>
> Not to mention all of the #! executables. Only static executables are
> "harmed". So what was it that noexec prevented me form doing?
I agree with this.
But noexec is not the only thing.
As this was not really a security thread, I just posted my
personal prefs.
Together with those mount options I also use systrace.
There I disable the /lib/ld-linux hacks and stuff.
Like I said, my setup is not "the way to do it".
It's just what works for me.
I was commenting on the fact ppl think having seperate
partitions for different parts of a system is not what is
needed. There are some uses for it, that's what it was all
about.
Having partitions with mount options is not the only step in
securing your system, that much is shown here ;)
Actually in my setup my /home is not even local. That is
just another reason to setup a box with seperate partitions
for /home, /tmp, /usr etc. It will save you time in the
occasion you want to deploy a remote filesystem for one of
them.
I'm sorry if you took my points as attacks on your setup.
--
Michiel van Baak
http://michiel.vanbaak.info
michiel at vanbaak.info
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D
"Why is it drug addicts and computer afficionados are both called users?"
More information about the asterisk-users
mailing list