Date: Fri, 23 Sep 2005 15:59:13 -0700 From: Eli Dart <dart@es.net> To: freebsd-security@freebsd.org Subject: Re: mounting filesystems with "noexec" Message-ID: <433488C1.5030906@es.net> In-Reply-To: <43347BC3.7000308@ucsb.edu> References: <F02FC593-8F19-40D4-B1E7-63B78F1E5300@sarenet.es> <43332CD7.4070107@romab.com> <726F1E71-D4D9-4C34-848D-868C1158834E@sarenet.es> <43345736.3090602@gugol.ru> <20050923215556.GB72838@logik.internal.network> <43347BC3.7000308@ucsb.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 randall s. ehren wrote: >> With all that has been said so far, what is the actual point of >> the noexec flag? > > > it prevents executables from being executed on a specific partition. > > for instance, you can mount /var with the noexec flag and if you then > try to run any binaries (executables) from /var they simply will not > execute. Note that while there may be many ways to circumvent noexec in many circumstances, it still raises the bar. If attempts to execute on a filesystem mounted noexec can be logged (and the logs are sent off-box) you have a chance of seeing something. Also, if the execution is part of an automated tool, noexec can cause the tool to fail. It may not be perfect, but I don't consider it useless. --eli -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDNIjBLTFEeF+CsrMRAuFAAJ9xnIPezUj/RTir7gggcXyAj5MvdwCdE0On DcSKlSJbn5Q/dVsFvYv4Fuc= =MHif -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?433488C1.5030906>