Mike Frysinger wrote: > But bash itself has no problem running this file: > $ bash /dev/shm/test.sh > hi >... > This detracts from the security of the overall system. People > writing scripts sometimes want to save/restore state (like > variables) and will restore the content from a noexec point using > the aforementioned source command without realizing that it executes > code too. Of course their code is wrong, but it would be nice if > the system would catch & reject it explicitly to stave of > inadvertent usage.
I don't think it makes sense for a userland program to be an enforcer of this type of check. It gives a false impression of a security that does not exist. Which I think is more dangerous. It will almost certainly get in the way of a reasonable use case. And nothing prevents one from running a private copy of a shell without such a check. Or any of the many compatible /bin/sh variants such as ksh, zsh, ash, dash, and so forth. Bob
