> This configuration would prevent any hack entry into the server (via bugs/
> stack overflow, etc) from being able to do anything to the data (no write
> down). Without the exec, no shell process could be generated. The
> most that
Sorry, disabling exec is security by obscurity (it will deter 95%
attacks, still!). You can do exec without actually invoking exec
system call -- you close some fds, mmap executable somewhere into your
address space, unmap old files ... and you've done exec() without
actually doing exec. (Mj's freezer does something pretty similar --
for example he could freeze bash then unfreeze it into your web
server!)
Pavel
-- I'm pavel@ucw.cz. "In my country we have almost anarchy and I don't care." Panos Katsaloulis describing me w.r.t. patents me at discuss@linmodems.org- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/