Ian <[EMAIL PROTECTED]> writes: > for example, an insecure cgi script could allow a user to write to /tmp > and get the web server to execute the script. By mounting /tmp noexec, > this problem is potentially prevented (aside from the insecure script).
What sort of insecure cgi script are you thinking of? If it's being coerced into letting the user write a file and execute it, it can presumably be coerced to just directly execute whatever it wants without the rigamarole. > so surely, if nothing needs to be executed, it is better to mount > noexec? noexec has no good purpose, really. But it's intention was for networked filesystems in certain environments, not a generalized security tool. In any case, it's part of the normal conventions of all Unix-based systems that /tmp is accessible to every user, for writing files and for executing them.
