Re: /home as noexec and X
On Wed, Dec 09, 1998 at 09:38:44PM +0000, Jules Bean wrote:
> > I just don't want any user to download any executable and use it. maybe
> > i'm paranoid about security but this sounds like good idea to me; maybe
> > linux kernel could be patched to allow executing of scripts (starting
> > with #!) on partition mounted as "noexec"
> It could. But shell scripts are almost as powerful as executables, so
> it's not clear why you would.
Not nearly as powerful. If you find a kernel root compromise in the vm86()
function call, bash isn't going to get you that.
Now, perl might be able to pull it off...
> You are also preventing people running anything they have created with a
I think that would be the point.
> Beware of any other world-writable directories (/tmp,/var/tmp), and also
> of scripting languages (perl,python) which allow people to create
> executable files of arbitrary 'power' without needing the exec bit.
Done right, this can be a benefit to security. It would admittedly be kind
of hard to do right, and kind of annoying even then.