Date: Thu, 22 Sep 2005 14:13:27 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Borja Marcos <borjamar@sarenet.es> Cc: freebsd-security@freebsd.org Subject: Re: Mounting filesystems with "noexec" Message-ID: <20050922121326.GA66046@eddie.nitro.dk> In-Reply-To: <F02FC593-8F19-40D4-B1E7-63B78F1E5300@sarenet.es> References: <F02FC593-8F19-40D4-B1E7-63B78F1E5300@sarenet.es>
next in thread | previous in thread | raw e-mail | index | archive | help
--2fHTh5uZTiUOsy+g
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2005.09.22 13:11:43 +0200, Borja Marcos wrote:
> I've been playing a bit with the "noexec" flag for filesystems. It
> can represent a substantial obstacle against the exploitation of
> security holes.
Please note the following from the mount(8) manual page:
noexec Do not allow execution of any binaries on the mounted
file system. This option is useful for a server that has
file systems containing binaries for architectures other
than its own. Note: This option was not designed as a
security feature and no guarantee is made that it will
prevent malicious code execution; for example, it is
still possible to execute scripts which reside on a
noexec mounted partition.
I don't know if it makes sense to log noexec failures, but at least
it's important that people don't completely rely on noexec for
security.
--=20
Simon L. Nielsen
--2fHTh5uZTiUOsy+g
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDMp/mh9pcDSc1mlERAnLOAJ0WqGjhfVfyTTwW4bdBrCWSxI7/3ACggZVD
YBe2yVRDSJQcW0PPckKsSdc=
=wk35
-----END PGP SIGNATURE-----
--2fHTh5uZTiUOsy+g--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050922121326.GA66046>