Path: csiph.com!au2pb.net!feeder.erje.net!2.us.feeder.erje.net!news.glorb.com!usenet.stanford.edu!not-for-mail
From: Chet Ramey <chet.ramey@case.edu>
Newsgroups: gnu.bash.bug
Subject: Re: [PATCH/RFC] do not source/exec scripts on noexec mount points
Date: Wed, 16 Dec 2015 15:23:50 -0500
Lines: 37
Approved: bug-bash@gnu.org
Message-ID: <mailman.47.1450297439.843.bug-bash@gnu.org>
References: <1449954086-30408-1-git-send-email-vapier@gentoo.org> <CAJnmqwZcZOTjXAVJO7vixSEQf2eEUuZocBzMKdpK08zAphzbLQ@mail.gmail.com> <20151214051712.GS11489@vapier.lan>
Reply-To: chet.ramey@case.edu
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Trace: usenet.stanford.edu 1450297440 15165 208.118.235.17 (16 Dec 2015 20:24:00 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: chet.ramey@case.edu
To: konsolebox <konsolebox@gmail.com>, bug-bash <bug-bash@gnu.org>
Envelope-to: bug-bash@gnu.org
X-Enigmail-Draft-Status: N1110
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
In-Reply-To: <20151214051712.GS11489@vapier.lan>
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020205.5671C856.0273,ss=1,re=0.000,fgs=0, ip=0.0.0.0, so=2015-08-12 04:07:17, dmn=2011-05-27 18:58:46
X-Mirapoint-Loop-Id: eccfd6d952130db62953e2b2fe582111
X-Junkmail-Whitelist: YES (by domain whitelist at mpv3-2015.case.edu)
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020201.5671C857.00B8,ss=1,re=0.000,fgs=0, ip=0.0.0.0, so=2015-08-12 04:07:17, dmn=2011-05-27 18:58:46
X-Mirapoint-Loop-Id: c2baae8af25449654ab93ce35c5e9075
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic] [fuzzy]
X-Received-From: 129.22.103.194
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref: csiph.com gnu.bash.bug:12039

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/14/15 12:17 AM, Mike Frysinger wrote:

> 
> (1) the examples i already provided do not involve the user at all, and
>     include systems where the user has no direct access to the shell.

You didn't really provide any examples. You mentioned ChromeOS and vaguely
referenced "other verified boot systems".

If non-general-purpose systems is the set of systems for which this
proposal is in scope, that changes the impact.  Since you generally build
custom versions for such systems, a configuration-time option to enable
this behavior is more reasonable.

> (2) choice over runtime functionality is by the sysadmin, not the user.

In this case, or in general?

> (3) i disagree over the scope of noexec.  i think this is in-scope.

I really don't agree that it's in the spirit of noexec.

- -- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@case.edu    http://cnswww.cns.cwru.edu/~chet/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEUEARECAAYFAlZxyEoACgkQu1hp8GTqdKs7iwCeN3RSffaijMfXrzceHrbksjXE
W1oAl0qJHWNo/qNu0cOijRbbNEzDJt4=
=kLgz
-----END PGP SIGNATURE-----