[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: mounting /tmp noexec (was: Campus Computers)

Wichert Akkerman <wichert@wiggy.net> writes:

> Previously Thomas Bushnell, BSG wrote:
> > What sort of insecure cgi script are you thinking of?
> 
> Trivial protection against stupid rootkits.
> 
> > In any case, it's part of the normal conventions of all Unix-based
> > systems that /tmp is accessible to every user, for writing files and
> > for executing them.
> 
> debconf seems to be the only thing relying on it, I've been using
> a nonexec /tmp for a while now without noticing any other problems.

Posix requires a /tmp directory which arbitrary programs can write to,
and Posix knows nothing of noexec; a valid program of any sort could
well decide to use that feature, and Debian shouldn't bother trying to
work around it, IMHO.
Reply to: