Re: mounting /tmp noexec (was: Campus Computers)
Ian <ian@ids.org.au> writes:
> for example, an insecure cgi script could allow a user to write to /tmp
> and get the web server to execute the script. By mounting /tmp noexec,
> this problem is potentially prevented (aside from the insecure script).
What sort of insecure cgi script are you thinking of? If it's being
coerced into letting the user write a file and execute it, it can
presumably be coerced to just directly execute whatever it wants
without the rigamarole.
> so surely, if nothing needs to be executed, it is better to mount
> noexec?
noexec has no good purpose, really. But it's intention was for
networked filesystems in certain environments, not a generalized
security tool.
In any case, it's part of the normal conventions of all Unix-based
systems that /tmp is accessible to every user, for writing files and
for executing them.
Reply to: