Re: /home as noexec and X

To: Kristoffer.Rose@ENS-Lyon.FR
Cc: debian-devel@lists.debian.org
Subject: Re: /home as noexec and X
From: Avery Pennarun <apenwarr@worldvisions.ca>
Date: Thu, 10 Dec 1998 13:49:34 -0500
Message-id: <[🔎] 19981210134934.C8310@worldvisions.ca>
In-reply-to: <[🔎] 13934.44133.160553.680238@localhost>; from Kristoffer.Rose@ENS-Lyon.FR on Wed, Dec 09, 1998 at 06:02:37PM +0100
References: <[🔎] 19981209115242.B5277@fantomas.sk> <[🔎] 13934.44133.160553.680238@localhost>

On Wed, Dec 09, 1998 at 06:02:37PM +0100, Kristoffer.Rose@ENS-Lyon.FR wrote:

> > I mounted my /home partition as noexec (to have more security on my
> > machine) and I found i can't exec scripts like ~/.xsession; would be good
> > if it would be execuuted like "exec sh $HOME/.xsession" and not "exec
> > $HOME/.xsession" imho
> 
> I diasgree: in cases where I'd mount /home as noexec I'd *want* that the
> system refuses to execute anything, including .xsession!
> 
> In any case noone says that .xsession must be a shell script which your
> proposal will force it to be.

I already suggested logic like this:

	if it exists
		if it's executable (chmod +x)
			execute it
		else if it's not executable
			run it with 'sh'
		fi
	fi

Works great.  I also disagree with your opinion that we don't want it running
.xsession if noexec is set -- if it's just a script, it doesn't add any new
security holes, and if it's an executable binary, 'noexec' will disable it
in all cases.

If you want to disable .xsession completely, turn it off in /etc/X11/config.

Have fun,

Avery

Reply to:

Follow-Ups:
- Re: /home as noexec and X
  - From: joost@pc47.mpn.cp.philips.com

References:
- /home as noexec and X
  - From: "Matus \"fantomas\" Uhlar" <uhlar@fantomas.sk>
- /home as noexec and X
  - From: Kristoffer.Rose@ENS-Lyon.FR

Prev by Date: /home as noexec and X
Next by Date: Re: Draft new DFSG
Previous by thread: /home as noexec and X
Next by thread: Re: /home as noexec and X
Index(es):
- Date
- Thread