Re: Do we really need to worry about viruses
>> I don't know but this seems like overkill. Does mounting home noexec
>> mean that I can't run programs for /home/.
>Yep, that's what it means. Things located in the partition mounted at
>/home are not allowed to be executed (though it can be bypassed)
>> What about at school. They
>> don't even have lynx installed and their version of mutt is broken, etc.
>> I depend on being able to compile and install software in ~/software/.
>> Wouldn't an even easier solution be to stop the user from using the
>> computer. No way they can get a virus that way :) Just joking but
>As for whether it's an appropriate solution, that depends on lots of
>things. Who are your users? How trusted are they? Will they have
>legitimate need to run arbitrary code?
>Also, if the sysadmin has properly installed and configured the
>programs that her users need, that makes a big difference.
>In the case of experienced power-users on a university network, you'd
>inconvenience people plenty by trying this, and they'd just hack around
>it anyway. One method has already been mentioned in this thread.
>But in the case of administering a network for an office full of
>desktop users who are happy as long as they can get mail, surf the web,
>and run an office suite, I think the noexec solution is a _totally_
>appropriate way to remove much of the opportunity for their ignorance
>to open the door to somebody's trojan.
>The right balance between security and convenience varies pretty widely
>among particular cases.
I think that a lot of users tend to switch to using root because they
cannot achieve simple tasks with their "normal" user. For instance
writing cd's. It would help if there is a doc that explains how users
can best set up their system to achieve this. For example, hinting to
the use of sudo and so on. This would help IMO but i haven't found a
doc that explains these issues and suggest sollutions for the most
common tasks where users are confronted with permission problems.
Such a doc should really be available alongside the other debian docs
on the site. Now everybody who runs into these kinds of problems
tries to solve it their own way which aren't necessary the best:
running as root, using SUID and so on.