[Bug 29212] noexec on file level (acl)

linux-ext4.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: bugzilla-daemon@bugzilla.kernel.org
To: linux-ext4@vger.kernel.org
Subject: [Bug 29212] noexec on file level (acl)
Date: Wed, 16 Feb 2011 15:35:04 GMT	[thread overview]
Message-ID: <201102161535.p1GFZ4xR020006@demeter1.kernel.org> (raw)
In-Reply-To: <bug-29212-13602@https.bugzilla.kernel.org/>

https://bugzilla.kernel.org/show_bug.cgi?id=29212





--- Comment #2 from krzf83@gmail.com  2011-02-16 15:35:03 ---
Dissalowing access to binary programs like nmap, sendmail, perhaps ping is a
good practice on shared system. User can however put his own copies in his home
dir of these programs. If /home is mounted without noexec he can run those.
With noexec he can't. Of course scripting languages still can be actually used
but there are less of a treat for now.
(mounting /tmp and /dev/shm is also common security practice)
There are situations when it would be very wasteful and inconvenient to mount
whole filesystem with noexec. Perhaps you want to execute code in some
directories on /home, perhaps you want to allow some users to execute code od
/home or perhaps you want to disallow execution in some locations recursively
and still allow it in other locations. I'm not sure what is the best form of
setting and storing data for such functionality as I doubt anyone will catch
this and want to program it into kernel.
However more precise noexec for specific locations in filesystem, not just
whole filesystem, is what I've been looking for years now.

-- 
Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

next prev parent reply	other threads:[~2011-02-16 15:35 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-02-16  6:03 [Bug 29212] New: noexec on file level (acl) bugzilla-daemon
2011-02-16 15:02 ` [Bug 29212] " bugzilla-daemon
2011-02-16 15:35 ` bugzilla-daemon [this message]
2011-02-16 18:20 ` bugzilla-daemon
2011-02-16 18:56 ` bugzilla-daemon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201102161535.p1GFZ4xR020006@demeter1.kernel.org \
    --to=bugzilla-daemon@bugzilla.kernel.org \
    --cc=linux-ext4@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).