Good Idea / Bad Idea - /dev/shm with nosuid, nodev, and noexec
steve at betterlinux.com
Fri Jul 27 18:07:47 MDT 2012
I have seen multiple script kiddies try to hide stuff in /dev/shm due to it generally being available and allowing executables. No exec is a good idea, though I would test any important apps before doing production that way.
On a side note, the best deterrent I have found for script kiddies was to lock down outbound connections to only specifically what you need. If they cannot connect out, the server becomes a lot less desirable. Of course, keeping them out in the first place is best, but you cannot always control that with other users that can run whatever they want to.
Sent from my iPhone
On Jul 27, 2012, at 5:38 PM, Joshua Marsh <joshua at themarshians.com> wrote:
> On Fri, Jul 27, 2012 at 5:05 PM, Jacob Albretsen <jakea at xmission.com> wrote:
>> I am hardening some CentOS 5 and 6 boxes, and one of the recommendations
>> reading is to mount /dev/shm with nosuid, nodev, and noexec. I've read
>> what /dev/shm is, but I lack a deeper understanding. I've seen some things
>> online talking about it, but nothing concrete as to why it's a good idea
>> than "it's more secure". Can anyone enlighten me more about this? I don't
>> want to run into any unintended issues down the road (will XYZ services
>> work, can I still run VMs, etc etc)
More information about the PLUG