[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal: dpkg change: scripts in /var/lib/dpkg/tmp.ci

-> > I mounted /var as noexec/nodev because of security reasons.
-> > I created partition /exec for using it on scripts etc that needs to be
-> > executed.

-> noexec provides no real security whatsoever.  nosuid,nodev are more
-> useful.
-> 
-> try this:
-> 
-> $ cp /bin/date /noexecfs
-> $ /noexecfs/date
-> (you get a permission denied)
-> $ /lib/ld-2.1.3.so /noexecfs/date
-> (date runs normally)

well, shouldn't be this considered ad ld.so bug?

-> this is for potato, woody/sid would probably be /lib/ld-2.2.2.so or
-> something. the point is noexec does not prevent you from running binaries
-> on that filesystem. same thing with shell scripts, /bin/sh
-> /noexecfs/shellscript.sh works just fine without even execute
-> permissions. 

of course I know about shell scripts. But i think the main difference is
shell scripts shouldn't make harm as binaries can.

-- 
 Matus "fantomas" Uhlar, sysadmin at NEXTRA, Slovakia; IRCNET admin of *.sk
 uhlar@fantomas.sk ; http://www.fantomas.sk/ ; http://www.nextra.sk/
 Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
Reply to: