[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH/RFC] do not source/exec scripts on noexec mount points
From: |
Chet Ramey |
Subject: |
Re: [PATCH/RFC] do not source/exec scripts on noexec mount points |
Date: |
Wed, 16 Dec 2015 15:23:50 -0500 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/14/15 12:17 AM, Mike Frysinger wrote:
>
> (1) the examples i already provided do not involve the user at all, and
> include systems where the user has no direct access to the shell.
You didn't really provide any examples. You mentioned ChromeOS and vaguely
referenced "other verified boot systems".
If non-general-purpose systems is the set of systems for which this
proposal is in scope, that changes the impact. Since you generally build
custom versions for such systems, a configuration-time option to enable
this behavior is more reasonable.
> (2) choice over runtime functionality is by the sysadmin, not the user.
In this case, or in general?
> (3) i disagree over the scope of noexec. i think this is in-scope.
I really don't agree that it's in the spirit of noexec.
- --
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEUEARECAAYFAlZxyEoACgkQu1hp8GTqdKs7iwCeN3RSffaijMfXrzceHrbksjXE
W1oAl0qJHWNo/qNu0cOijRbbNEzDJt4=
=kLgz
-----END PGP SIGNATURE-----
Re: [PATCH/RFC] do not source/exec scripts on noexec mount points, Stephane Chazelas, 2015/12/13
Re: [PATCH/RFC] do not source/exec scripts on noexec mount points, Chet Ramey, 2015/12/13