On Mon, Dec 05, 2005 at 02:32:16PM -0500, Bernd Prager wrote: > I was wondering if there's some security or other benefits in mounting > /tmp with a "noexec" option. Even if scripts there can still be executed > but - binary programs should not, right? At least something, I thought. > When I was checking it out, unfortunately some apt-get updates started > failing, like: > > Preconfiguring packages ... > Can't exec "/tmp/cvs.config.56471": Permission denied at > /usr/share/perl/5.8/IPC/Open3.pm line 168. > open2: exec of /tmp/cvs.config.56471 configure 1:1.12.9-16 failed at > /usr/share/perl5/Debconf/ConfModule.pm line 44 > cvs failed to preconfigure, with exit status 2 > > So now I just think it's wasted energy and tend to reverse that "noexec" > flag to "standard" again. > > Any suggestions or experiences? > Thanks, > -- Bernd The noexec only prevents files from being executed directly. You can always do something like this: /usr/bin/python <python-script> /usr/bin/perl <perl-script> /bin/bash <bash-script> /lib/ld-linux.so.2 <elf-binary> -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto
Attachment:
pgpbexdZw6Yrs.pgp
Description: PGP signature