lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 16 Feb 2011 15:35:04 GMT
From:	bugzilla-daemon@...zilla.kernel.org
To:	linux-ext4@...r.kernel.org
Subject: [Bug 29212] noexec on file level (acl)

https://bugzilla.kernel.org/show_bug.cgi?id=29212





--- Comment #2 from krzf83@...il.com  2011-02-16 15:35:03 ---
Dissalowing access to binary programs like nmap, sendmail, perhaps ping is a
good practice on shared system. User can however put his own copies in his home
dir of these programs. If /home is mounted without noexec he can run those.
With noexec he can't. Of course scripting languages still can be actually used
but there are less of a treat for now.
(mounting /tmp and /dev/shm is also common security practice)
There are situations when it would be very wasteful and inconvenient to mount
whole filesystem with noexec. Perhaps you want to execute code in some
directories on /home, perhaps you want to allow some users to execute code od
/home or perhaps you want to disallow execution in some locations recursively
and still allow it in other locations. I'm not sure what is the best form of
setting and storing data for such functionality as I doubt anyone will catch
this and want to program it into kernel.
However more precise noexec for specific locations in filesystem, not just
whole filesystem, is what I've been looking for years now.

-- 
Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ