Re: mounting /tmp noexec

To: debian-security@lists.debian.org
Subject: Re: mounting /tmp noexec
From: alexey.vyskubov@nokia.com (Alexey Vyskubov)
Date: Thu, 3 Jan 2002 08:50:34 +0200
Message-id: <[🔎] 20020103065034.GB13225@terrapin.research.nokia.com>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <lcMRPC.A.G9G.G13M8@murphy>
References: <lcMRPC.A.G9G.G13M8@murphy>

> > > noexec has no good purpose, really.  But it's intention was for
> > > networked filesystems in certain environments, not a generalized
> > > security tool.
> > 
> > It's very useful for mounting filesystems like vfat, where otherwise
> > all the files are marked executable which makes mc a PITA to use for
> > examining archive files (mc tries to execute them!).
> 
> Ah, interesting. ;)  Of course, that isn't a security related reason.

It's just wrong.

If you will mount filesystem with noexec option (try!) files may have
'x' permission. And they can *look* executable (e.g. on vfat partition
you will see all files 'executable', as usual).  The only difference is
that if you will try to execute such file you will get 'permission
denied' error message. But mc will try to execute every file :)

[terrapin] 08:46:52 ~$ sudo mount -o remount,noexec /tmp 
Password:
[terrapin] 08:47:11 ~$ touch /tmp/a
[terrapin] 08:47:14 ~$ chmod +x /tmp/a
[terrapin] 08:47:17 ~$ ls -l /tmp/a
-rwxr-xr-x    1 alexey   alexey          0 ñÎ×  3 08:47 /tmp/a
[terrapin] 08:47:21 ~$ /tmp/a
bash: /tmp/a: Permission denied
[terrapin] 08:47:25 ~$ 

-- 
Alexey

"Python is executable pseudocode, Perl is executable line-noise."

Reply to:

Follow-Ups:
- Re: mounting /tmp noexec
  - From: David Wright <d.wright@open.ac.uk>
- Re: mounting /tmp noexec
  - From: Preben Randhol <randhol@pvv.org>

Prev by Date: Re: mutt security update
Next by Date: Re: More security for screensavers
Previous by thread: Re: mounting /tmp noexec
Next by thread: Re: mounting /tmp noexec
Index(es):
- Date
- Thread