From owner-freebsd-security@FreeBSD.ORG Sat Sep 24 01:02:55 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AEFC16A41F for ; Sat, 24 Sep 2005 01:02:55 +0000 (GMT) (envelope-from dart@es.net) Received: from postal2.es.net (postal2.es.net [198.128.3.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0599A43D53 for ; Sat, 24 Sep 2005 01:02:54 +0000 (GMT) (envelope-from dart@es.net) Received: from [198.128.1.31] ([198.128.1.31]) by postal2.es.net (Postal Node 2) with ASMTP (SSL) id IBA74465 for ; Fri, 23 Sep 2005 15:59:13 -0700 Message-ID: <433488C1.5030906@es.net> Date: Fri, 23 Sep 2005 15:59:13 -0700 From: Eli Dart Organization: Energy Sciences Network User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050726) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <43332CD7.4070107@romab.com> <726F1E71-D4D9-4C34-848D-868C1158834E@sarenet.es> <43345736.3090602@gugol.ru> <20050923215556.GB72838@logik.internal.network> <43347BC3.7000308@ucsb.edu> In-Reply-To: <43347BC3.7000308@ucsb.edu> X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: mounting filesystems with "noexec" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dart@es.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Sep 2005 01:02:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 randall s. ehren wrote: >> With all that has been said so far, what is the actual point of >> the noexec flag? > > > it prevents executables from being executed on a specific partition. > > for instance, you can mount /var with the noexec flag and if you then > try to run any binaries (executables) from /var they simply will not > execute. Note that while there may be many ways to circumvent noexec in many circumstances, it still raises the bar. If attempts to execute on a filesystem mounted noexec can be logged (and the logs are sent off-box) you have a chance of seeing something. Also, if the execution is part of an automated tool, noexec can cause the tool to fail. It may not be perfect, but I don't consider it useless. --eli -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDNIjBLTFEeF+CsrMRAuFAAJ9xnIPezUj/RTir7gggcXyAj5MvdwCdE0On DcSKlSJbn5Q/dVsFvYv4Fuc= =MHif -----END PGP SIGNATURE-----