Re: [PATCH/RFC] do not source/exec scripts on noexec mount points

[John McKown]

FWIW (not much), I'm going to go with Chet on this. It may be my ignorance speaking, but what can I do in a BASH shell script which I cannot do (at all) just by entering the commands by hand?

On Wed, Dec 16, 2015 at 2:23 PM, Chet Ramey <chet.ramey@case.edu> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/14/15 12:17 AM, Mike Frysinger wrote:

>
> (1) the examples i already provided do not involve the user at all, and
>     include systems where the user has no direct access to the shell.

You didn't really provide any examples. You mentioned ChromeOS and vaguely
referenced "other verified boot systems".

If non-general-purpose systems is the set of systems for which this
proposal is in scope, that changes the impact.  Since you generally build
custom versions for such systems, a configuration-time option to enable
this behavior is more reasonable.

> (2) choice over runtime functionality is by the sysadmin, not the user.

In this case, or in general?

> (3) i disagree over the scope of noexec.  i think this is in-scope.

I really don't agree that it's in the spirit of noexec.

- --
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@case.edu    http://cnswww.cns.cwru.edu/~chet/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEUEARECAAYFAlZxyEoACgkQu1hp8GTqdKs7iwCeN3RSffaijMfXrzceHrbksjXE
W1oAl0qJHWNo/qNu0cOijRbbNEzDJt4=
=kLgz
-----END PGP SIGNATURE-----

--

Schrodinger's backup: The condition of any backup is unknown until a restore is attempted.

Yoda of Borg, we are. Futile, resistance is, yes. Assimilated, you will be.

He's about as useful as a wax frying pan.

10 to the 12th power microphones = 1 Megaphone

Maranatha! <><
John McKown