svn commit: r41813 - head/en_US.ISO8859-1/books/handbook/basics

Tom Rhodes trhodes at FreeBSD.org
Mon Jun 3 14:23:57 UTC 2013 

On Mon, 3 Jun 2013 14:49:49 +0200
Eitan Adler <eadler at freebsd.org> wrote:

> On 3 June 2013 13:55, Tom Rhodes <trhodes at freebsd.org> wrote:
> > On Sat, 1 Jun 2013 15:44:45 +0000 (UTC)
> > Eitan Adler <eadler at FreeBSD.org> wrote:
> >
> >> Author: eadler
> >> Date: Sat Jun  1 15:44:45 2013
> >> New Revision: 41813
> >> URL: http://svnweb.freebsd.org/changeset/doc/41813
> >>
> >> Log:
> >>   The man page for mount(1) and the handbook disagree on the security value of 'noexec'.  The man page is correct.
> >>
> >> Modified:
> >>   head/en_US.ISO8859-1/books/handbook/basics/chapter.xml
> >>
> >> Modified: head/en_US.ISO8859-1/books/handbook/basics/chapter.xml
> >> ==============================================================================
> >> --- head/en_US.ISO8859-1/books/handbook/basics/chapter.xml    Sat Jun  1 15:37:57 2013        (r41812)
> >> +++ head/en_US.ISO8859-1/books/handbook/basics/chapter.xml    Sat Jun  1 15:44:45 2013        (r41813)
> >> @@ -1790,15 +1790,6 @@ root     5211  0.0  0.2  3620  1724   2
> >>
> >>        <variablelist>
> >>       <varlistentry>
> >> -       <term>noexec</term>
> >> -
> >> -       <listitem>
> >> -         <para>Do not allow execution of binaries on this file
> >> -           system.  This is also a useful security option.</para>
> >> -       </listitem>
> >> -     </varlistentry>
> >> -
> >> -     <varlistentry>
> >>         <term>nosuid</term>
> >>
> >>         <listitem>
> >
> > Why not fix rather than remove?
> 
> This is not really a 'common' mount option to use.

Not true.  In EVERY environment where a chrooted web or FTP
server existed, mounting file systems via NFS from an internal
server containing the site data, had this option.  In fact,
I don't recall ever being in an environment where noexec
was missing.  In addition, in the US, this option is provided as
a government requirement in the NIST 800-53 standards, part of
the CIS benchmark for FreeBSD, Linux, Solaris, etc.; part of
DISA, Linux USGCB, and is also recommended by SANS (and discussed
in GIAC certification requirements).

While I would agree this is not an enable and consider "secure"
mount option, it's always used in conjuction with other
security features/controls and users really should understand and
know that it exists.

Thanks,

--
Tom Rhodes

More information about the svn-doc-all mailing list