Re: /home as noexec and X

[Avery Pennarun <apenwarr@worldvisions.ca>]

On Wed, Dec 09, 1998 at 09:38:44PM +0000, Jules Bean wrote:

> > I just don't want any user to download any executable and use it. maybe
> > i'm paranoid about security but this sounds like good idea to me; maybe
> > linux kernel could be patched to allow executing of scripts (starting
> > with #!) on partition mounted as "noexec"
> 
> It could.  But shell scripts are almost as powerful as executables, so
> it's not clear why you would.

Not nearly as powerful.  If you find a kernel root compromise in the vm86()
function call, bash isn't going to get you that.

Now, perl might be able to pull it off...

> You are also preventing people running anything they have created with a
> compiler.

I think that would be the point.

> Beware of any other world-writable directories (/tmp,/var/tmp), and also
> of scripting languages (perl,python) which allow people to create
> executable files of arbitrary 'power' without needing the exec bit.

Done right, this can be a benefit to security.  It would admittedly be kind
of hard to do right, and kind of annoying even then.

Have fun,

Avery