noexec-flag does not work in Linux 2.4.10-pre10

noexec-flag does not work in Linux 2.4.10-pre10

[Peter Bornemann]

It seems that the noexec in fstab no longer works. Is this
intentional?

In fstab I have the following line:

/dev/hda1       /dosc   vfat    codepage=850,umask=000,noexec 0 0

A ls -l in /dosc shows:

-rwxrwxrwx    1 root     root     267657216 Jun 28 22:34 win386.swp

The same case with iso9660:

-r-xr-xr-x    1 root     root            0 Jan 24  2000 s3cd1.dat

However umask=111 is still working. I don't know exactly when this
happened, but it was hot there in earlier 2.4 kernels.

mfg

Peter B

Re: noexec-flag does not work in Linux 2.4.10-pre10

[Andreas Dilger]

On Sep 20, 2001  20:05 +0200, Peter Bornemann wrote:
> It seems that the noexec in fstab no longer works. Is this
> intentional?
> 
> In fstab I have the following line:
> 
> /dev/hda1       /dosc   vfat    codepage=850,umask=000,noexec 0 0
> 
> A ls -l in /dosc shows:
> 
> -rwxrwxrwx    1 root     root     267657216 Jun 28 22:34 win386.swp
> 
> The same case with iso9660:
> 
> -r-xr-xr-x    1 root     root            0 Jan 24  2000 s3cd1.dat
> 
> However umask=111 is still working. I don't know exactly when this
> happened, but it was hot there in earlier 2.4 kernels.

Are you sure this is actually a problem?  Can you really exec these
files, or is it just a matter of the flag?  Some changes were made
to mount flags by Al Viro.  If you really want the flags gone, you
should use a different umask (e.g. umask=111).  The noexec flag
means (for filesystems that actually have permissions) that _even if_
the "x" bit is set, it cannot be executed.

Cheers, Andreas
--
Andreas Dilger  \ "If a man ate a pound of pasta and a pound of antipasto,
                 \  would they cancel out, leaving him still hungry?"
http://www-mddsp.enel.ucalgary.ca/People/adilger/               -- Dogbert

Re: noexec-flag does not work in Linux 2.4.10-pre10

[Alexander Viro]

On Thu, 20 Sep 2001, Peter Bornemann wrote:

> It seems that the noexec in fstab no longer works. Is this
> intentional?
> 
> In fstab I have the following line:
> 
> /dev/hda1       /dosc   vfat    codepage=850,umask=000,noexec 0 0
> 
> A ls -l in /dosc shows:
> 
> -rwxrwxrwx    1 root     root     267657216 Jun 28 22:34 win386.swp

... and?  What happens if you do cp /bin/ls /dosc && /dosc/ls ?

Re: noexec-flag does not work in Linux 2.4.10-pre10

[Peter Bornemann]

On Thu, 20 Sep 2001, Andreas Dilger wrote:


> Are you sure this is actually a problem?  Can you really exec these
> files, or is it just a matter of the flag?  Some changes were made
> to mount flags by Al Viro.  If you really want the flags gone, you
> should use a different umask (e.g. umask=111).  The noexec flag
> means (for filesystems that actually have permissions) that _even if_
> the "x" bit is set, it cannot be executed.

OK copying /bin/ls to /dosc and executing it gives:

peter@eduard:~ > /dosc/ls
bash: /dosc/ls: Keine Berechtigung (no permission)

This is no problem for me but an inconvenience. If You see all
the x-flags You believe in the executability (is that right?), moreover,
as on my system executables are displayed in red colour, I feel my eyes
are deceived to some extent.
But, as umask=111 works, I will switch to that.

Thanks a lot!

Peter B

Re: noexec-flag does not work in Linux 2.4.10-pre10

[Alexander Viro]

On Fri, 21 Sep 2001, Peter Bornemann wrote:

> This is no problem for me but an inconvenience. If You see all
> the x-flags You believe in the executability (is that right?), moreover,
> as on my system executables are displayed in red colour, I feel my eyes
> are deceived to some extent.

Then you've never used noexec on normal filesystems (after all, _that_
is the intended use - prohibit execution of binaries from potentially
unsafe place, and in that case you are interested in all mode bits, so
you want them to be reported).  Try to remount some normal fs noexec
(_not_ one that contains mount(8), or you'll have really big trouble
on hands).  Then look at it - exec bits are still there and they
are still reported.

> But, as umask=111 works, I will switch to that.
> 
> Thanks a lot!
> 
> Peter B
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 

Re: noexec-flag does not work in Linux 2.4.10-pre10

[Padraig Brady]

Alexander Viro wrote:

>
>On Fri, 21 Sep 2001, Peter Bornemann wrote:
>
>>This is no problem for me but an inconvenience. If You see all
>>the x-flags You believe in the executability (is that right?), moreover,
>>as on my system executables are displayed in red colour, I feel my eyes
>>are deceived to some extent.
>>
>
>Then you've never used noexec on normal filesystems (after all, _that_
>is the intended use - prohibit execution of binaries from potentially
>unsafe place, and in that case you are interested in all mode bits, so
>you want them to be reported).
>

I wondered what you gain by noexec actually as there is always a way to
execute code you can read. For e.g. if you want to execute a binary from
/mnt/unsafe you can do (RH7.1):  /lib/ld-linux.so.2 /mnt/unsafe/hack.bin ?

>  Try to remount some normal fs noexec
>(_not_ one that contains mount(8), or you'll have really big trouble
>on hands).  Then look at it - exec bits are still there and they
>are still reported.
>
>>But, as umask=111 works, I will switch to that.
>>
>>Thanks a lot!
>>
>>Peter B
>>