Ed Greshko wrote:
The other catch is that being able to execute stuff in your home folder
is a bit of a security risk.
Andreas Bernauer:
On what theory do you base this (IMHO weird) statement?
Don't you read any of the security notices? Mounting /home as noexec is
a very old, and wise, technique for making a system more secure. The
same goes for mounting /tmp and /var noexec. Why do you think there's
an option to mount a partition with the noexec parameter?
If a user can create and run a program, they can do much more to a
system than one who can't. Ordinarily, they can't do that. At the
simplest level they can stuff up their own files, or bog a system down
with a heavy workload. But if you exploit a software fault, at the same
time, you can do worse.
All it takes is to browse a website that exploits your browser, and
there's an unknown program running on your computer. But without any
execute permissions, it can't do a thing.
I'm sorry.... Are you saying that mounting /home as noexec is a good thing
since folks that are compiling/testing programs won't be allowed to get
their work done?
Sorry a bit confused here.... Sure, it is only Monday.
There are always tradeoffs between usability and security. This one is
pretty extreme, even for people who just write a few convenience scripts
so they don't have to repeated type long command lines to unix tools for
things they do more than once.
--
Les Mikesell
lesmikesell@xxxxxxxxx
