From owner-freebsd-questions@FreeBSD.ORG  Sun Apr 16 21:19:21 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 730C816A400
	for <freebsd-questions@freebsd.org>;
	Sun, 16 Apr 2006 21:19:21 +0000 (UTC)
	(envelope-from cperciva@freebsd.org)
Received: from pd2mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net
	[24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CF6743D4C
	for <freebsd-questions@freebsd.org>;
	Sun, 16 Apr 2006 21:19:20 +0000 (GMT)
	(envelope-from cperciva@freebsd.org)
Received: from pd4mr8so.prod.shaw.ca
	(pd4mr8so-qfe3.prod.shaw.ca [10.0.141.101]) by l-daemon
	(Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004))
	with ESMTP id <0IXU00CNN37V3030@l-daemon> for
	freebsd-questions@freebsd.org; Sun, 16 Apr 2006 15:19:07 -0600 (MDT)
Received: from pn2ml4so.prod.shaw.ca ([10.0.121.148])
	by pd4mr8so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01
	(built Mar
	15 2004)) with ESMTP id <0IXU009HL37VZ660@pd4mr8so.prod.shaw.ca> for
	freebsd-questions@freebsd.org; Sun, 16 Apr 2006 15:19:07 -0600 (MDT)
Received: from [192.168.0.60] ([24.82.18.31])
	by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15
	2004)) with ESMTP id <0IXU008QL37U2ZH0@l-daemon> for
	freebsd-questions@freebsd.org; Sun, 16 Apr 2006 15:19:07 -0600 (MDT)
Date: Sun, 16 Apr 2006 14:19:04 -0700
From: Colin Percival <cperciva@freebsd.org>
In-reply-to: <20060416205147.6544228454@porsche.brendan.id.au>
To: Brendan Grossman <brendan@grossman.id.au>
Message-id: <4442B4C8.40602@freebsd.org>
MIME-version: 1.0
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 7bit
X-Enigmail-Version: 0.94.0.0
References: <20060416205147.6544228454@porsche.brendan.id.au>
User-Agent: Thunderbird 1.5 (X11/20060112)
Cc: freebsd-questions@freebsd.org
Subject: Re: /boot at beginning of drive
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Apr 2006 21:19:21 -0000

Brendan Grossman wrote:
> Here is my reason for separating /tmp and mounting it noexec,nosuid:
> 
> http://www.sagonet.com/forums/showthread.php?t=2852

Quoth mount(8):
             noexec  Do not allow execution of any binaries on the mounted
                     file system.  This option is useful for a server that has
                     file systems containing binaries for architectures other
                     than its own.  Note: This option was not designed as a
                     security feature and no guarantee is made that it will
                     prevent malicious code execution; for example, it is
                     still possible to execute scripts which reside on a
                     noexec mounted partition.

Mounting /tmp as noexec causes perfectly good code to gratuitously fail,
while providing no real security improvement.

Colin Percival
FreeBSD Security Officer