Hmm... that doesn't prevent executing commands of the form "wget '$URL' | /bin/bash" which are increasingly common. You could also set umask to prevent new files from having the execute bit set, but with shell and script interpreters (bash, python, etc.) I'm not sure how fruitful that will be. On Thu, Oct 2, 2014 at 4:21 PM, Wilson <wilson.ubuntu@xxxxxxxxx> wrote: > Thanks for the immediate answer. > > My present goal is just to prevent automated or accidental execution > of treacherous downloads while letting users to execute their own code > if they really want (next step will be to give permission to mount FS > to some users and not others), so the noexec parameter seemed the > obvious way to do it (and for users with a not encrypted home it works > fine). > > > I'm using the standard "use a crypted home" by Ubuntu, so as far as I > know I'm using the PAM module, I'm just unable to find out where to > look to configure it (either globally or for a single user). > > I've the feeling that I'm missing something obvious, but I can't find it. > > Wilson > > 2014-10-03 0:56 GMT+02:00 Michael Chang <thenewme91@xxxxxxxxx>: >> My gut feeling is you really want Apparmor or SELinux to restrict >> execution, since users can just mount new filesystems wherever with >> exec set (especially on a Desktop configuration with e.g. GNOME >> installed). >> >> However, ecryptfs takes the "noexec" parameter at mount time, just >> like most FUSE filesystems. You can test this by mounting it from the >> command line and passing it as an option. Where you would set that so >> that it always takes effect depends on how you're mounting the >> directories... >> >> Michael Chang >> >> On Thu, Oct 2, 2014 at 3:55 PM, Michael Chang <thenewme91@xxxxxxxxx> wrote: >>> My gut feeling is you really want Apparmor or SELinux to restrict execution, >>> since users can just mount new filesystems wherever with exec set >>> (especially on a Desktop configuration with e.g. GNOME installed). >>> >>> However, ecryptfs takes the "noexec" parameter at mount time, just like most >>> FUSE filesystems. You can test this by mounting it from the command line and >>> passing it as an option. Where you would set that so that it always takes >>> effect depends on how you're mounting the directories... >>> >>> Michael Chang >>> >>> On Thu, Oct 2, 2014 at 3:41 PM, Wilson <wilson.ubuntu@xxxxxxxxx> wrote: >>>> >>>> Hi, >>>> >>>> is it possible to mount a ecryptfs home directory with mount >>>> parameters such as noexec? >>>> >>>> I'm trying to build an hardened Ubuntu install (it's just an hobby for >>>> learning something, noting professional) and I'm stuck trying to >>>> prevent execution from home even for users with cyphered home. >>>> >>>> I'm mounting the whole /home with noexec in fstab, but cyphered home >>>> are obviously unaffected and I'm unable to find a way to say to >>>> ecryptfs to do so, can it be done? >>>> >>>> Thanks, >>>> >>>> Wilson >>>> -- >>>> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in >>>> the body of a message to majordomo@xxxxxxxxxxxxxxx >>>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> >>> >>> >>> >>> -- >>> Michael Chang >> >> >> >> -- >> Michael Chang >> -- >> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html -- Michael Chang -- To unsubscribe from this list: send the line "unsubscribe ecryptfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
