$HOME/bin
Andreas Bernauer
fedora at lysium.de
Mon Jun 4 13:36:21 UTC 2007
Les Mikesell wrote on Mon, Jun 04 2007 at 08:06 (-0500):
> Ed Greshko wrote:
>
> >>>>The other catch is that being able to execute stuff in your home folder
> >>>>is a bit of a security risk.
> >>Andreas Bernauer:
> >>>On what theory do you base this (IMHO weird) statement?
> >>Don't you read any of the security notices? Mounting /home as noexec is
> >>a very old, and wise, technique for making a system more secure. The
> >>same goes for mounting /tmp and /var noexec. Why do you think there's
> >>an option to mount a partition with the noexec parameter?
> >>
> >>If a user can create and run a program, they can do much more to a
> >>system than one who can't.
>
> There are always tradeoffs between usability and security. This one is
> pretty extreme, even for people who just write a few convenience scripts
> so they don't have to repeated type long command lines to unix tools for
> things they do more than once.
I don't use noexec for obvious reasons (compiling, etc.).
Concerning the scripts in your home directory, I don't think bash,
tcsh, perl, etc. care about the noexec bit when they read the script
from the partition. Calling the scripts is inconvenient, but still
possible.
Concerning noexec on modern operating systems, I don't see why users
who can create an executable program can do much more harm than users
who cannot, since modern operating systems allow the dynamic loading
of (executable) libraries, ignoring any (non-)executable
flags (eg. you create a perl or python module which you load at
runtime and which executes arbitrary C code).
noexec may help against the "normal" user, but then again, what can a
"normal" user do more with an executable than a user using an ordinary
bash script?
Andreas.
--
http://www.lysium.de/blog
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20070604/6f604c16/attachment-0001.sig>
More information about the fedora-list
mailing list