Re: mounting filesystems with "noexec"

From: Eli Dart (dart_at_es.net)
Date: 09/24/05

  • Next message: Simon L. Nielsen: "Re: mounting filesystems with "noexec""
    Date: Fri, 23 Sep 2005 15:59:13 -0700
    To: freebsd-security@freebsd.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    randall s. ehren wrote:
    >> With all that has been said so far, what is the actual point of
    >> the noexec flag?
    >
    >
    > it prevents executables from being executed on a specific partition.
    >
    > for instance, you can mount /var with the noexec flag and if you then
    > try to run any binaries (executables) from /var they simply will not
    > execute.

    Note that while there may be many ways to circumvent noexec in many
    circumstances, it still raises the bar. If attempts to execute on a
    filesystem mounted noexec can be logged (and the logs are sent off-box)
    you have a chance of seeing something. Also, if the execution is part
    of an automated tool, noexec can cause the tool to fail.

    It may not be perfect, but I don't consider it useless.

                    --eli
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (FreeBSD)

    iD8DBQFDNIjBLTFEeF+CsrMRAuFAAJ9xnIPezUj/RTir7gggcXyAj5MvdwCdE0On
    DcSKlSJbn5Q/dVsFvYv4Fuc=
    =MHif
    -----END PGP SIGNATURE-----
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Simon L. Nielsen: "Re: mounting filesystems with "noexec""

    Relevant Pages