[Catalyst] Re: Mmap of shared file Operation not permitted
Dennis Daupert
ddaupert at sbcglobal.net
Tue Aug 28 22:18:55 GMT 2007
Wade:
> While changing the mount options of tmp would "fix" the error you
> are seeing and is the cause of the error, it usually makes sense
> to leave those options on tmp.
> noexec and other limiting options on /tmp are to help starve off
> common security exploits (such as rootkit creation -- exec -- rm
> inode).
> My suggested fix would be to store the session data (and all app
> related data) in a directory that has been setup for the app
> (tmpfs or real). This is more secure as you can limit entry to
> the directory structure to the app and other related processes
> (via running user).
That makes very good sense. My plan has been to configure mod_security for app protection, but I hadn't thought about a rootkit slipped in through /tmp. Also, I was a bit caught up in a "forest vs trees" blindspot. C-P-Session-Cache wanted to run a test mmap on /tmp/sessionstoretest/session_data, and refused to install after getting the error. I was locked into the installation conundrum, hadn't thought yet about repointing the cache elsewhere. I will do so now.
Thank you, Wade.
/dennis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20070828/be94ea4f/attachment.htm
More information about the Catalyst
mailing list