On Thu, Oct 02, 2003 at 11:21:39PM -0400, Bijan Soleymani wrote: > > I don't know but this seems like overkill. Does mounting home noexec > mean that I can't run programs for /home/. Yep, that's what it means. Things located in the partition mounted at /home are not allowed to be executed (though it can be bypassed) > What about at school. They > don't even have lynx installed and their version of mutt is broken, etc. > I depend on being able to compile and install software in ~/software/. > > Wouldn't an even easier solution be to stop the user from using the > computer. No way they can get a virus that way :) Just joking but > still... As for whether it's an appropriate solution, that depends on lots of things. Who are your users? How trusted are they? Will they have legitimate need to run arbitrary code? Also, if the sysadmin has properly installed and configured the programs that her users need, that makes a big difference. In the case of experienced power-users on a university network, you'd inconvenience people plenty by trying this, and they'd just hack around it anyway. One method has already been mentioned in this thread. But in the case of administering a network for an office full of desktop users who are happy as long as they can get mail, surf the web, and run an office suite, I think the noexec solution is a _totally_ appropriate way to remove much of the opportunity for their ignorance to open the door to somebody's trojan. The right balance between security and convenience varies pretty widely among particular cases. Cheers! -- ,-------------------------------------------------------------------------. > -ScruLoose- | I do not agree with what you have to say, < > Please do not | but I'll defend to the death your right to say it. < > reply off-list. | - Voltaire < `-------------------------------------------------------------------------'
Attachment:
pgpA17GyBW3gE.pgp
Description: PGP signature