[lug] Signs of hacking (was ARRG! Change One Little Thing And... HACKED?

[Bear Giles]

Michael Belanger wrote:
> Remember to only allow exec and suid from valid filesystems like /usr. 
> DONT let TMP do suid or exec!! This is the easiest path towards rootkit.
> 
>  /tmp       loop,noexec,nosuid,rw

Some package installers break if /tmp has noexec set.  They try to
be clever and use a meta-installer that builds the actual
installer on the fly.

I would use the tmpfs device instead of looping to a real file.
That way you're 100% certain that the directory is purged after
every reboot.