Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > gnu.bash.bug > #12005

Re: [PATCH/RFC] do not source/exec scripts on noexec mount points

From Mike Frysinger <vapier@gentoo.org>
Newsgroups gnu.bash.bug
Subject Re: [PATCH/RFC] do not source/exec scripts on noexec mount points
Date 2015-12-14 00:22 -0500
Message-ID <mailman.2053.1450070532.31583.bug-bash@gnu.org> (permalink)
References <1449954086-30408-1-git-send-email-vapier@gentoo.org> <20151212230510.GA7176@chaz.gmail.com>

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

On 12 Dec 2015 23:05, Stephane Chazelas wrote:
> 2015-12-12 16:01:26 -0500, Mike Frysinger:
> [...]
> > This is not a perfect solution as it can still be worked around by
> > inlining the code itself:
> >   $ bash -c "$(cat /dev/shm/test.sh)"
> >   hi
> 
> Or
> 
> cat /dev/shm/test.sh | bash

right, there's no way to look through pipes

> I think this kind of hardening is better left to things like
> selinux/apparmor.

security is not an all-or-nothing proposotion.  the whole point is to
have defence in depth.
-mike

Back to gnu.bash.bug | Previous | Next | Find similar

Thread

Re: [PATCH/RFC] do not source/exec scripts on noexec mount points Mike Frysinger <vapier@gentoo.org> - 2015-12-14 00:22 -0500

csiph-web