[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: mounting /tmp noexec (was: Campus Computers)

Ian <ian@ids.org.au> writes:

> for example, an insecure cgi script could allow a user to write to /tmp
> and get the web server to execute the script. By mounting /tmp noexec,
> this problem is potentially prevented (aside from the insecure script).

What sort of insecure cgi script are you thinking of?  If it's being
coerced into letting the user write a file and execute it, it can
presumably be coerced to just directly execute whatever it wants
without the rigamarole.

> so surely, if nothing needs to be executed, it is better to mount
> noexec?

noexec has no good purpose, really.  But it's intention was for
networked filesystems in certain environments, not a generalized
security tool.

In any case, it's part of the normal conventions of all Unix-based
systems that /tmp is accessible to every user, for writing files and
for executing them.

Reply to: