https://bugzilla.kernel.org/show_bug.cgi?id=29212 --- Comment #2 from krzf83@xxxxxxxxx 2011-02-16 15:35:03 --- Dissalowing access to binary programs like nmap, sendmail, perhaps ping is a good practice on shared system. User can however put his own copies in his home dir of these programs. If /home is mounted without noexec he can run those. With noexec he can't. Of course scripting languages still can be actually used but there are less of a treat for now. (mounting /tmp and /dev/shm is also common security practice) There are situations when it would be very wasteful and inconvenient to mount whole filesystem with noexec. Perhaps you want to execute code in some directories on /home, perhaps you want to allow some users to execute code od /home or perhaps you want to disallow execution in some locations recursively and still allow it in other locations. I'm not sure what is the best form of setting and storing data for such functionality as I doubt anyone will catch this and want to program it into kernel. However more precise noexec for specific locations in filesystem, not just whole filesystem, is what I've been looking for years now. -- Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
