From owner-freebsd-security@FreeBSD.ORG  Fri Sep 23 22:03:05 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1EBCE16A41F
	for <freebsd-security@freebsd.org>;
	Fri, 23 Sep 2005 22:03:05 +0000 (GMT)
	(envelope-from randall@ucsb.edu)
Received: from isber.ucsb.edu (research.isber.ucsb.edu [128.111.147.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D719743D48
	for <freebsd-security@freebsd.org>;
	Fri, 23 Sep 2005 22:03:04 +0000 (GMT)
	(envelope-from randall@ucsb.edu)
Received: from localhost ([127.0.0.1] helo=[128.111.147.11])
	by isber.ucsb.edu with esmtp (Exim 3.36 #2)
	id 1EIvdA-000IvF-00; Fri, 23 Sep 2005 15:02:56 -0700
Message-ID: <43347BC3.7000308@ucsb.edu>
Date: Fri, 23 Sep 2005 15:03:47 -0700
From: "randall s. ehren" <randall@ucsb.edu>
Organization: ISBER
User-Agent: Thunderbird 1.4 (Windows/20050908)
MIME-Version: 1.0
To: markzero <mark@darklogik.org>
References: <F02FC593-8F19-40D4-B1E7-63B78F1E5300@sarenet.es>	<43332CD7.4070107@romab.com>	<726F1E71-D4D9-4C34-848D-868C1158834E@sarenet.es>	<43345736.3090602@gugol.ru>
	<20050923215556.GB72838@logik.internal.network>
In-Reply-To: <20050923215556.GB72838@logik.internal.network>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanner: exiscan *1EIvdA-000IvF-00*l2YaapjCFtI* (ISBER - Institute for
	Social, Behavioral, and Economic Research)
Cc: freebsd-security@freebsd.org
Subject: Re: mounting filesystems with "noexec"
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Sep 2005 22:03:05 -0000

> With all that has been said so far, what is the actual point of
> the noexec flag? 

it prevents executables from being executed on a specific partition.

for instance, you can mount /var with the noexec flag and if you then 
try to run any binaries (executables) from /var they simply will not 
execute.

root@server[~]% grep 'noexec' /etc/fstab
/dev/aacd0s1h  /var  ufs  rw,noexec,nosuid   2       2
root@server[~]% cp /usr/bin/top /var/top
root@server[~]% /var/./top
/var/./top: Permission denied.

  -randall

-- 
         :// randall s. ehren         :// voice 805.893.5632
         :// systems administrator    :// isber|survey|avss.ucsb.edu
         :// institute for social, behavioral, and economic research