Brendan Grossman wrote:
> Here is my reason for separating /tmp and mounting it noexec,nosuid:

Quoth mount(8):
             noexec  Do not allow execution of any binaries on the mounted
                     file system.  This option is useful for a server that has
                     file systems containing binaries for architectures other
                     than its own.  Note: This option was not designed as a
                     security feature and no guarantee is made that it will
                     prevent malicious code execution; for example, it is
                     still possible to execute scripts which reside on a
                     noexec mounted partition.

Mounting /tmp as noexec causes perfectly good code to gratuitously fail,
while providing no real security improvement.

Colin Percival
FreeBSD Security Officer
_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to