Re: user can't mount loop device...
>>>>> " " == Martijn van Oosterhout <kleptog@cupid.suninternet.com> writes:
> On Sat, Jan 20, 2001 at 08:23:27PM +0100, Tollef Fog Heen
> wrote:
>> * Goswin Brederlow
>>
>> | >From man mount: | user Allow an ordinary user to mount the
>> file | system. This option implies the options | noexec,
>> nosuid, and nodev (unless overridden | by subsequent options,
>> as in the option line | user,exec,dev,suid). | | So user or
>> users is enough. You might want to allow executables | though.
>>
>> noexec is very weak on linux anyhow:
>>
>> $ ~/bin/hello bash: /home/tfheen/bin/hello: Permission denied
>> $/lib/ld-linux.so.2 ~/bin/hello Hello, world! $mount | grep
>> home /dev/ide/host0/bus0/target0/lun0/part3 on /home type ext2
>> (rw,noexec) $
> They could always just copy the binary to their home directory
> and run it from there. The important point is that if the
That was the homedir not being mounted with noexec. If you use noexec
you normaly should make shure that all user writeable filesystems are
noexec. Its pointless otherwise.
> original had any special attributes (setuid, setgid,
> capabilities, etc) these are not passed on since they are lost
> in the copy and the loader does not handle them.
> It does protect a system from unsafe filesystems on swappable
> media. That's all it was supposed to do.
noexec is for preventing any program to be executable. It only
disables the x flag. Stuff like devices or setuid are handled by other
flages.
The above example shows that noexec trivial to circumvent. Makes it
pretty much pointless.
MfG
Goswin
Reply to: