From owner-svn-doc-all@FreeBSD.ORG Mon Jun 3 14:23:57 2013 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id C3D3EB48; Mon, 3 Jun 2013 14:23:57 +0000 (UTC) (envelope-from trhodes@FreeBSD.org) Received: from hapkido.dreamhost.com (hapkido.dreamhost.com [66.33.216.122]) by mx1.freebsd.org (Postfix) with ESMTP id AB9471FF1; Mon, 3 Jun 2013 14:23:57 +0000 (UTC) Received: from homiemail-a24.g.dreamhost.com (caiajhbdcaid.dreamhost.com [208.97.132.83]) by hapkido.dreamhost.com (Postfix) with ESMTP id 24EF018118; Mon, 3 Jun 2013 07:23:57 -0700 (PDT) Received: from homiemail-a24.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a24.g.dreamhost.com (Postfix) with ESMTP id 769372C806D; Mon, 3 Jun 2013 07:23:25 -0700 (PDT) Received: from lab (ip72-219-240-45.dc.dc.cox.net [72.219.240.45]) (Authenticated sender: trhodes@fbsdsecure.org) by homiemail-a24.g.dreamhost.com (Postfix) with ESMTPA id A7D6D2C8089; Mon, 3 Jun 2013 07:23:12 -0700 (PDT) Date: Mon, 3 Jun 2013 10:23:11 -0400 From: Tom Rhodes To: Eitan Adler Subject: Re: svn commit: r41813 - head/en_US.ISO8859-1/books/handbook/basics Message-Id: <20130603102311.64fa5210.trhodes@FreeBSD.org> In-Reply-To: References: <201306011544.r51FijdA036793@svn.freebsd.org> <20130603075528.31629010.trhodes@FreeBSD.org> X-Mailer: Sylpheed version 1.0.6 (GTK+ 1.2.10; x86_64-unknown-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: svn-doc-head@freebsd.org, trhodes@freebsd.org, svn-doc-all@freebsd.org, doc-committers@freebsd.org X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jun 2013 14:23:57 -0000 On Mon, 3 Jun 2013 14:49:49 +0200 Eitan Adler wrote: > On 3 June 2013 13:55, Tom Rhodes wrote: > > On Sat, 1 Jun 2013 15:44:45 +0000 (UTC) > > Eitan Adler wrote: > > > >> Author: eadler > >> Date: Sat Jun 1 15:44:45 2013 > >> New Revision: 41813 > >> URL: http://svnweb.freebsd.org/changeset/doc/41813 > >> > >> Log: > >> The man page for mount(1) and the handbook disagree on the security value of 'noexec'. The man page is correct. > >> > >> Modified: > >> head/en_US.ISO8859-1/books/handbook/basics/chapter.xml > >> > >> Modified: head/en_US.ISO8859-1/books/handbook/basics/chapter.xml > >> ============================================================================== > >> --- head/en_US.ISO8859-1/books/handbook/basics/chapter.xml Sat Jun 1 15:37:57 2013 (r41812) > >> +++ head/en_US.ISO8859-1/books/handbook/basics/chapter.xml Sat Jun 1 15:44:45 2013 (r41813) > >> @@ -1790,15 +1790,6 @@ root 5211 0.0 0.2 3620 1724 2 > >> > >> > >> > >> - noexec > >> - > >> - > >> - Do not allow execution of binaries on this file > >> - system. This is also a useful security option. > >> - > >> - > >> - > >> - > >> nosuid > >> > >> > > > > Why not fix rather than remove? > > This is not really a 'common' mount option to use. Not true. In EVERY environment where a chrooted web or FTP server existed, mounting file systems via NFS from an internal server containing the site data, had this option. In fact, I don't recall ever being in an environment where noexec was missing. In addition, in the US, this option is provided as a government requirement in the NIST 800-53 standards, part of the CIS benchmark for FreeBSD, Linux, Solaris, etc.; part of DISA, Linux USGCB, and is also recommended by SANS (and discussed in GIAC certification requirements). While I would agree this is not an enable and consider "secure" mount option, it's always used in conjuction with other security features/controls and users really should understand and know that it exists. Thanks, -- Tom Rhodes