On Mon, 2007-06-04 at 21:01 +0930, Tim wrote: > Tim: > >> The other catch is that being able to execute stuff in your home folder > >> is a bit of a security risk. > > Andreas Bernauer: > > On what theory do you base this (IMHO weird) statement? > > Don't you read any of the security notices? Mounting /home as noexec is > a very old, and wise, technique for making a system more secure. It's the same kind of wisdom advising you to wear a knight's armor or a bullet-proof vest in everyday life. It might be suitable in certain environments, but in general, though it might make your life a glimpse more secure, but your comfort is likely to suffer severely. > The > same goes for mounting /tmp and /var noexec. Why do you think there's > an option to mount a partition with the noexec parameter? It's useful for data partitions, but even then mounting read only is more useful. > If a user can create and run a program, they can do much more to a > system than one who can't. Yes, a person who is able to leave his house is able to do much more than one which can't - But most people want to leave their house, and prefer not to live in a cage. Ralf
