Tim ignored_mailbox at yahoo.com.au
Mon Jun 4 11:31:04 UTC 2007

>> The other catch is that being able to execute stuff in your home folder
>> is a bit of a security risk.

Andreas Bernauer:
> On what theory do you base this (IMHO weird) statement?  

Don't you read any of the security notices?  Mounting /home as noexec is
a very old, and wise, technique for making a system more secure.  The
same goes for mounting /tmp and /var noexec.  Why do you think there's
an option to mount a partition with the noexec parameter?

If a user can create and run a program, they can do much more to a
system than one who can't.  Ordinarily, they can't do that.  At the
simplest level they can stuff up their own files, or bog a system down
with a heavy workload.  But if you exploit a software fault, at the same
time, you can do worse.

All it takes is to browse a website that exploits your browser, and
there's an unknown program running on your computer.  But without any
execute permissions, it can't do a thing.

(This box runs FC6, my others run FC4 & FC5, in case that's
 important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

More information about the fedora-list mailing list