/boot at beginning of drive
Colin Percival
cperciva at freebsd.org
Sun Apr 16 21:19:21 UTC 2006
Brendan Grossman wrote:
> Here is my reason for separating /tmp and mounting it noexec,nosuid:
>
> http://www.sagonet.com/forums/showthread.php?t=2852
Quoth mount(8):
noexec Do not allow execution of any binaries on the mounted
file system. This option is useful for a server that has
file systems containing binaries for architectures other
than its own. Note: This option was not designed as a
security feature and no guarantee is made that it will
prevent malicious code execution; for example, it is
still possible to execute scripts which reside on a
noexec mounted partition.
Mounting /tmp as noexec causes perfectly good code to gratuitously fail,
while providing no real security improvement.
Colin Percival
FreeBSD Security Officer
More information about the freebsd-questions
mailing list