On 19/04/16 18:48, Joe Schillinger wrote:
Hi misc,
Should /home be mounted as noexec by default for security? I noticed
~/bin is in the default $PATH (via /etc/skel/.profile), but isn't this
somewhat of a security risk? Theoretically, if a threat has unprivileged
access, wouldn't it be able to execute unauthorized programs?
Someone mentioned this to me after they saw I was using ~/bin to house
my scripts, and it made me think. Anyone have any info on whether this
is/is not an issue? Are protections already in place in OpenBSD to
mitigate this? Am I getting trolled?
Thanks,
Joe
If users are supposed to run their programs in their home dir under
their privileges
I see no security risk there. They are allowed to run shells, perl, php,
python so they can mess up an insecure system without needing a native
binary in their home.
On the other hand, in filesystems like /tmp /var /var/www where you
might not need to host executables you can mount noexec (depends on the
case)
G
