My gut feeling is you really want Apparmor or SELinux to restrict execution, since users can just mount new filesystems wherever with exec set (especially on a Desktop configuration with e.g. GNOME installed). However, ecryptfs takes the "noexec" parameter at mount time, just like most FUSE filesystems. You can test this by mounting it from the command line and passing it as an option. Where you would set that so that it always takes effect depends on how you're mounting the directories... Michael Chang On Thu, Oct 2, 2014 at 3:55 PM, Michael Chang <thenewme91@xxxxxxxxx> wrote: > My gut feeling is you really want Apparmor or SELinux to restrict execution, > since users can just mount new filesystems wherever with exec set > (especially on a Desktop configuration with e.g. GNOME installed). > > However, ecryptfs takes the "noexec" parameter at mount time, just like most > FUSE filesystems. You can test this by mounting it from the command line and > passing it as an option. Where you would set that so that it always takes > effect depends on how you're mounting the directories... > > Michael Chang > > On Thu, Oct 2, 2014 at 3:41 PM, Wilson <wilson.ubuntu@xxxxxxxxx> wrote: >> >> Hi, >> >> is it possible to mount a ecryptfs home directory with mount >> parameters such as noexec? >> >> I'm trying to build an hardened Ubuntu install (it's just an hobby for >> learning something, noting professional) and I'm stuck trying to >> prevent execution from home even for users with cyphered home. >> >> I'm mounting the whole /home with noexec in fstab, but cyphered home >> are obviously unaffected and I'm unable to find a way to say to >> ecryptfs to do so, can it be done? >> >> Thanks, >> >> Wilson >> -- >> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > -- > Michael Chang -- Michael Chang -- To unsubscribe from this list: send the line "unsubscribe ecryptfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
