On Tue, 31 Mar 2015 14:37:53 +0100 Gareth Nelson wrote: > For scripts that are set executable, it works exactly the same way - for > everything else it won't work unless the interpreter is patched, it's still > an overall massive improvement in security.
Maybe on other systems (I know a linux distro did this) but when you consider OpenBSD with the potential of read-only mounts and chflags schg available then replacing the kernel is the danger that hasn't been circumvented by this proposal and those options have next to no performance hit. One item on my todo list is to create wrappers for interpreters that honour noexec mount points and deny inputs other than from the filesystem (if possible) and using permissions (suid or sudo -u) to prevent execution of interpreters by anything other than the wrappers group and root. One of the alleged reasonings for the systemd madness is to get rid of interpreters as various security agencies suggest their removal and who may be RedHats customers but that's simply dumb considering the value of interpreters.
