Re: mounting filesystems with "noexec"

• Previous message: carlopmart_at_gmail.com: "Encrypt some services with ipsec"
• Maybe in reply to: markzero: "Re: mounting filesystems with "noexec""
• Next in thread: Aristeu Gil Alves Jr: "Re: Mounting filesystems with "noexec""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: freebsd-security@freebsd.org
Date: Sat, 24 Sep 2005 20:33:14 +0000

>
> On 2005.09.23 22:55:56 +0100, markzero wrote:
> > With all that has been said so far, what is the actual point of
> > the noexec flag?
> >
> >From mount(8) (yes I like quoting the docs. when we have them ;);) ):
>
>         This option is useful for a server that has file systems
>         containing binaries for architectures other than its own.

Sorry Simon and others,

Where the least privilege principle gone? If there isn't any necessity to have
normal or suid binaries on a partition, why enable it?

Using it on a data-only partition with a chrooted application does not limit
any possible damage? Like file upload and execution using an application
security flaw could be stopped at some point.

Saying one can easily do privilege escalation (like ppl are saying) doesn't
eliminate the need of file permissions and other access policies.

Regards,
--aristeu
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: carlopmart_at_gmail.com: "Encrypt some services with ipsec"
• Maybe in reply to: markzero: "Re: mounting filesystems with "noexec""
• Next in thread: Aristeu Gil Alves Jr: "Re: Mounting filesystems with "noexec""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]