On Tue, 16 Aug 2011 10:07:46 PDT, Roland McGrath said: > I think the expectation is that the administrator or system builder > who decides to set the (non-default) noexec mount option will also > set the sysctl at the same time. On the other hand, a design that requires 2 separate actions to be taken in order to make it work, and which fails unsafe if the second step isn't taken, is a bad design. If we're talking "expectations", let's not forget that the mount option is called "noexec", not "only-really-noexec-if-you-set-a-magic-sysctl". I'll also point out that we didn't add a sysctl in 2.6.0 to say whether or not to still allow the old "/lib/ld-linux.so your-binary-here" hack to execute binaries off a partition mounted noexec - we simply said "this will no longer be permitted".
Attachment:
pgpLVO2U4wyKM.pgp
Description: PGP signature