Mounting filesystems with "noexec"

Simon L. Nielsen simon at FreeBSD.org
Thu Sep 22 05:17:16 PDT 2005 

On 2005.09.22 13:11:43 +0200, Borja Marcos wrote:

> I've been playing a bit with the "noexec" flag for filesystems. It
> can represent a substantial obstacle against the exploitation of
> security holes.

Please note the following from the mount(8) manual page:

     noexec  Do not allow execution of any binaries on the mounted
             file system.  This option is useful for a server that has
             file systems containing binaries for architectures other
             than its own.  Note: This option was not designed as a
             security feature and no guarantee is made that it will
             prevent malicious code execution; for example, it is
             still possible to execute scripts which reside on a
             noexec mounted partition.

I don't know if it makes sense to log noexec failures, but at least
it's important that people don't completely rely on noexec for
security.

-- 
Simon L. Nielsen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050922/a0b90f58/attachment.bin

More information about the freebsd-security mailing list