From owner-freebsd-security@FreeBSD.ORG  Thu Sep 22 12:17:16 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6E33816A41F
	for <freebsd-security@freebsd.org>;
	Thu, 22 Sep 2005 12:17:16 +0000 (GMT)
	(envelope-from simon@eddie.nitro.dk)
Received: from nfishbone.nitro.dk
	(cpe.atm2-0-71337.0x535ccf26.taanxx2.customer.tele.dk [83.92.207.38])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4E97343D55
	for <freebsd-security@freebsd.org>;
	Thu, 22 Sep 2005 12:17:14 +0000 (GMT)
	(envelope-from simon@eddie.nitro.dk)
Received: from eddie.nitro.dk (localhost [127.0.0.1])
	by nfishbone.nitro.dk (Postfix) with ESMTP id 1D6AC61C2C
	for <freebsd-security@freebsd.org>;
	Thu, 22 Sep 2005 14:17:10 +0200 (CEST)
Received: by eddie.nitro.dk (Postfix, from userid 1000)
	id 62C4D11A320; Thu, 22 Sep 2005 14:13:27 +0200 (CEST)
Date: Thu, 22 Sep 2005 14:13:27 +0200
From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: Borja Marcos <borjamar@sarenet.es>
Message-ID: <20050922121326.GA66046@eddie.nitro.dk>
References: <F02FC593-8F19-40D4-B1E7-63B78F1E5300@sarenet.es>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="2fHTh5uZTiUOsy+g"
Content-Disposition: inline
In-Reply-To: <F02FC593-8F19-40D4-B1E7-63B78F1E5300@sarenet.es>
User-Agent: Mutt/1.5.11
Cc: freebsd-security@freebsd.org
Subject: Re: Mounting filesystems with "noexec"
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Sep 2005 12:17:16 -0000


--2fHTh5uZTiUOsy+g
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2005.09.22 13:11:43 +0200, Borja Marcos wrote:

> I've been playing a bit with the "noexec" flag for filesystems. It
> can represent a substantial obstacle against the exploitation of
> security holes.

Please note the following from the mount(8) manual page:

     noexec  Do not allow execution of any binaries on the mounted
             file system.  This option is useful for a server that has
             file systems containing binaries for architectures other
             than its own.  Note: This option was not designed as a
             security feature and no guarantee is made that it will
             prevent malicious code execution; for example, it is
             still possible to execute scripts which reside on a
             noexec mounted partition.

I don't know if it makes sense to log noexec failures, but at least
it's important that people don't completely rely on noexec for
security.

--=20
Simon L. Nielsen

--2fHTh5uZTiUOsy+g
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDMp/mh9pcDSc1mlERAnLOAJ0WqGjhfVfyTTwW4bdBrCWSxI7/3ACggZVD
YBe2yVRDSJQcW0PPckKsSdc=
=wk35
-----END PGP SIGNATURE-----

--2fHTh5uZTiUOsy+g--