svn commit: r41813 - head/en_US.ISO8859-1/books/handbook/basics
Tom Rhodes
trhodes at FreeBSD.org
Mon Jun 3 14:23:57 UTC 2013
On Mon, 3 Jun 2013 14:49:49 +0200
Eitan Adler <eadler at freebsd.org> wrote:
> On 3 June 2013 13:55, Tom Rhodes <trhodes at freebsd.org> wrote:
> > On Sat, 1 Jun 2013 15:44:45 +0000 (UTC)
> > Eitan Adler <eadler at FreeBSD.org> wrote:
> >
> >> Author: eadler
> >> Date: Sat Jun 1 15:44:45 2013
> >> New Revision: 41813
> >> URL: http://svnweb.freebsd.org/changeset/doc/41813
> >>
> >> Log:
> >> The man page for mount(1) and the handbook disagree on the security value of 'noexec'. The man page is correct.
> >>
> >> Modified:
> >> head/en_US.ISO8859-1/books/handbook/basics/chapter.xml
> >>
> >> Modified: head/en_US.ISO8859-1/books/handbook/basics/chapter.xml
> >> ==============================================================================
> >> --- head/en_US.ISO8859-1/books/handbook/basics/chapter.xml Sat Jun 1 15:37:57 2013 (r41812)
> >> +++ head/en_US.ISO8859-1/books/handbook/basics/chapter.xml Sat Jun 1 15:44:45 2013 (r41813)
> >> @@ -1790,15 +1790,6 @@ root 5211 0.0 0.2 3620 1724 2
> >>
> >> <variablelist>
> >> <varlistentry>
> >> - <term>noexec</term>
> >> -
> >> - <listitem>
> >> - <para>Do not allow execution of binaries on this file
> >> - system. This is also a useful security option.</para>
> >> - </listitem>
> >> - </varlistentry>
> >> -
> >> - <varlistentry>
> >> <term>nosuid</term>
> >>
> >> <listitem>
> >
> > Why not fix rather than remove?
>
> This is not really a 'common' mount option to use.
Not true. In EVERY environment where a chrooted web or FTP
server existed, mounting file systems via NFS from an internal
server containing the site data, had this option. In fact,
I don't recall ever being in an environment where noexec
was missing. In addition, in the US, this option is provided as
a government requirement in the NIST 800-53 standards, part of
the CIS benchmark for FreeBSD, Linux, Solaris, etc.; part of
DISA, Linux USGCB, and is also recommended by SANS (and discussed
in GIAC certification requirements).
While I would agree this is not an enable and consider "secure"
mount option, it's always used in conjuction with other
security features/controls and users really should understand and
know that it exists.
Thanks,
--
Tom Rhodes
More information about the svn-doc-all
mailing list