Re: mounting filesystems with "noexec"
From: Eli Dart (dart_at_es.net)
Date: 09/24/05
- Previous message: randall s. ehren: "Re: mounting filesystems with "noexec""
- In reply to: randall s. ehren: "Re: mounting filesystems with "noexec""
- Next in thread: Simon L. Nielsen: "Re: mounting filesystems with "noexec""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 23 Sep 2005 15:59:13 -0700 To: freebsd-security@freebsd.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
randall s. ehren wrote:
>> With all that has been said so far, what is the actual point of
>> the noexec flag?
>
>
> it prevents executables from being executed on a specific partition.
>
> for instance, you can mount /var with the noexec flag and if you then
> try to run any binaries (executables) from /var they simply will not
> execute.
Note that while there may be many ways to circumvent noexec in many
circumstances, it still raises the bar. If attempts to execute on a
filesystem mounted noexec can be logged (and the logs are sent off-box)
you have a chance of seeing something. Also, if the execution is part
of an automated tool, noexec can cause the tool to fail.
It may not be perfect, but I don't consider it useless.
--eli
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)
iD8DBQFDNIjBLTFEeF+CsrMRAuFAAJ9xnIPezUj/RTir7gggcXyAj5MvdwCdE0On
DcSKlSJbn5Q/dVsFvYv4Fuc=
=MHif
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: randall s. ehren: "Re: mounting filesystems with "noexec""
- In reply to: randall s. ehren: "Re: mounting filesystems with "noexec""
- Next in thread: Simon L. Nielsen: "Re: mounting filesystems with "noexec""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
