|
Lines 757-770
Link Here
|
| 757 |
/dev/cdroms /cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0 |
757 |
/dev/cdroms /cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0 |
| 758 |
proc /proc proc defaults 0 0 |
758 |
proc /proc proc defaults 0 0 |
| 759 |
</pre> |
759 |
</pre> |
| 760 |
<warn>Placing <path>/tmp</path> in noexec mode can prevent certain scripts from executing properly</warn> |
760 |
<warn>Placing <path>/tmp</path> in <c>noexec</c> mode can prevent certain scripts from executing properly</warn> |
| 761 |
<note>Disk quotas is described in another chapter</note> |
761 |
<note>For quotas see <uri link="#doc_chap6_sect3">Quotas section</uri>.</note> |
| 762 |
|
762 |
|
| 763 |
<note> |
763 |
<note> |
| 764 |
I do not set <path>/var</path> to <c>noexec</c> or <c>nosuid</c> even if files normally are never executed from this mount point. The reason for this is that qmail is installed in <path>/var/qmail</path> and must be allowed to execute and access one SUID file. I setup <path>/usr</path> in read-only mode since I never write anything there unless I want to update Gentoo. Then I remount the file system in read-write mode, update and remount again. |
764 |
I do not set <path>/var</path> to <c>noexec</c> or <c>nosuid</c> even if files normally are never executed from this mount point. The reason for this is that qmail is installed in <path>/var/qmail</path> and must be allowed to execute and access one SUID file. I setup <path>/usr</path> in read-only mode since I never write anything there unless I want to update Gentoo. Then I remount the file system in read-write mode, update and remount again. |
| 765 |
</note> |
765 |
</note> |
| 766 |
|
766 |
|
| 767 |
<note>Even if you do not use qmail, Gentoo still needs the executable bit set on <path>/var/tmp</path> since ebuilds are made here. But an alternative path can be setup if you insists on having <path>/var</path> in noexec mode. |
767 |
<note>Even if you do not use qmail, Gentoo still needs the executable bit set on <path>/var/tmp</path> since ebuilds are made here. But an alternative path can be setup if you insists on having <path>/var</path> in <c>noexec</c> mode. |
| 768 |
</note> |
768 |
</note> |
| 769 |
|
769 |
|
| 770 |
</body> |
770 |
</body> |
|
Lines 827-833
Link Here
|
| 827 |
<body> |
827 |
<body> |
| 828 |
|
828 |
|
| 829 |
<warn> |
829 |
<warn> |
| 830 |
Make sure the file systems you are working with support quotas. ReiserFS is not one of them! |
830 |
Make sure the file systems you are working with support quotas and <c>reiserfs</c> is not one of them. |
| 831 |
</warn> |
831 |
</warn> |
| 832 |
|
832 |
|
| 833 |
<p> |
833 |
<p> |
|
Lines 1000-1006
Link Here
|
| 1000 |
<body> |
1000 |
<body> |
| 1001 |
|
1001 |
|
| 1002 |
<p> |
1002 |
<p> |
| 1003 |
Files with the SUID or SGID bit set allows the files to execute with privileges of the <e>owning</e> user or group and not the user executing the file. Normally these bits are used on files that must run as root in order to do what they do. These files can lead to local root compromise (if they contain security holes). This is dangerous and files with the SUID or SGID bits set should be avoided at any cost. If you do not use the files use <c>chmod 0</c> on them or unmerge the package they came from (check which package they belong to by using <c>qpkg -f</c>). If you do not already have it installed simply <c>emerge gentoolkit</c> it). Otherwise just turn the SUID bit off with <c>chmod -s</c>. |
1003 |
Files with the SUID or SGID bit set allows the files to execute with privileges of the <e>owning</e> user or group and not the user executing the file. Normally these bits are used on files that must run as root in order to do what they do. These files can lead to local root compromise (if they contain security holes). This is dangerous and files with the SUID or SGID bits set should be avoided at any cost. If you do not use the files use <c>chmod 0</c> on them or unmerge the package they came from (check which package they belong to by using <c>qpkg -f</c>). If you do not already have it installed simply type <c>emerge gentoolkit</c>). Otherwise just turn the SUID bit off with <c>chmod -s</c>. |
| 1004 |
</p> |
1004 |
</p> |
| 1005 |
|
1005 |
|
| 1006 |
<pre caption="Finding setuid files"> |
1006 |
<pre caption="Finding setuid files"> |
|
Lines 1656-1662
Link Here
|
| 1656 |
</warn> |
1656 |
</warn> |
| 1657 |
|
1657 |
|
| 1658 |
<p> |
1658 |
<p> |
| 1659 |
One can find documentation at <uri>http://www.pureftpd.org</uri> |
1659 |
One can find documentation at <uri>http://www.pureftpd.org</uri>. |
| 1660 |
</p> |
1660 |
</p> |
| 1661 |
|
1661 |
|
| 1662 |
</body> |
1662 |
</body> |
|
Lines 1818-1823
Link Here
|
| 1818 |
<impo> |
1818 |
<impo> |
| 1819 |
Bind is known for its lousy security history and that should not be taken lightly. As with any other service it should <e>never</e> run as root so please do not change the default configuration for this service. |
1819 |
Bind is known for its lousy security history and that should not be taken lightly. As with any other service it should <e>never</e> run as root so please do not change the default configuration for this service. |
| 1820 |
</impo> |
1820 |
</impo> |
|
|
1821 |
<p> |
| 1822 |
One can find documentation at the <uri link="http://www.isc.org/products/BIND/bind9.html">Internet Software Consortium</uri> the BIND 9 Administrator Reference Manual is also in the <path>doc/arm</path>. |
| 1823 |
</p> |
| 1824 |
|
| 1825 |
</body> |
| 1826 |
</section> |
| 1821 |
|
1827 |
|
| 1822 |
<comment> |
1828 |
<comment> |
| 1823 |
<p> |
1829 |
<p> |
|
Lines 1896-1907
Link Here
|
| 1896 |
</note> |
1902 |
</note> |
| 1897 |
</comment> |
1903 |
</comment> |
| 1898 |
|
1904 |
|
| 1899 |
<p> |
|
|
| 1900 |
One can find documentation at the <uri link="http://www.isc.org/products/BIND/bind9.html">Internet Software Consortium</uri> the BIND 9 Administrator Reference Manual is also in the <path>doc/arm</path>. |
| 1901 |
</p> |
| 1902 |
|
| 1903 |
</body> |
| 1904 |
</section> |
| 1905 |
|
1905 |
|
| 1906 |
<section> |
1906 |
<section> |
| 1907 |
<title>Djbdns</title> |
1907 |
<title>Djbdns</title> |
