From owner-freebsd-gnome@FreeBSD.ORG Wed Apr 30 16:03:03 2008 Return-Path: Delivered-To: freebsd-gnome@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD0CE1065676 for ; Wed, 30 Apr 2008 16:03:03 +0000 (UTC) (envelope-from kris@pcbsd.com) Received: from pcbsd.ixsystems.com (pcbsd.ixsystems.net [206.40.55.78]) by mx1.freebsd.org (Postfix) with ESMTP id B016E8FC1A for ; Wed, 30 Apr 2008 16:03:03 +0000 (UTC) (envelope-from kris@pcbsd.com) Received: from [192.168.0.55] (24-159-181-153.dhcp.kgpt.tn.charter.com [24.159.181.153]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pcbsd.ixsystems.com (Postfix) with ESMTP id 884171460403; Wed, 30 Apr 2008 15:59:25 +0000 (UTC) Message-ID: <48189835.8030103@pcbsd.com> Date: Wed, 30 Apr 2008 12:03:01 -0400 From: Kris Moore User-Agent: Thunderbird 2.0.0.12 (X11/20080310) MIME-Version: 1.0 To: Joe Marcus Clarke References: <481771DD.7010007@pcbsd.com> <1209531708.85449.32.camel@shumai.marcuscom.com> In-Reply-To: <1209531708.85449.32.camel@shumai.marcuscom.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-gnome@freebsd.org Subject: Re: Question about noexec flag in HAL X-BeenThere: freebsd-gnome@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GNOME for FreeBSD -- porting and maintaining List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2008 16:03:03 -0000 Joe, Thanks for getting back to me on this. Is there any way we can drop this flag by default? It messes with our PBI system, which are executables. Currently users have to copy a PBI file from CD or USB to their desktop before installing, when they should really be able to just double-click and have it go. I don't believe their will be any security issues, in past versions of HAL I've been taking this flag out, and we've not seen any problems with doing so. Thanks! -- Kris Moore PC-BSD Software http://www.pcbsd.com Joe Marcus Clarke wrote: > On Tue, 2008-04-29 at 15:07 -0400, Kris Moore wrote: >> Hopefully just a quick question. In the past I've had to compile HAL >> with a patch to disable the noexec flag from being used when mounting >> CD's. The lines in question are below: >> >> tools/hal-storage-mount.c >> #ifdef __FreeBSD__ >> #define MOUNT "/sbin/mount" >> -#define MOUNT_OPTIONS "noexec,nosuid" >> +#define MOUNT_OPTIONS "nosuid" >> #define MOUNT_TYPE_OPT "-t" >> >> This has been rather of a pain, since I don't want to keep making a >> custom patch to remove this flag. Is there some other easy way to remove >> the noexec flag from being used in CD mounting? I've tried by putting >> this in my /usr/local/etc/hal/fdi/policy/preferences.fdi file: >> >> >> >> > type="bool">false >> >> >> >> However, it doesn't seem to make a difference :( >> >> >> Any other hints? Or am I stuck patching HAL itself? > > For now, you'll have to patch hal. It's up to the application > requesting the FS mount to specify the mount options. However, the > hardcoded mount options cannot be overridden. I'm willing to entertain > the idea of dropping noexec as Linux does, but I'm not sure what the > overall security impact of that change might be. > > Joe > >> >> >> ------------------------------------------------------------------------ >> >> !DSPAM:1,4818032020032091057336!