Date: Mon, 3 Jun 2013 10:23:11 -0400 From: Tom Rhodes <trhodes@FreeBSD.org> To: Eitan Adler <eadler@freebsd.org> Cc: svn-doc-head@freebsd.org, trhodes@freebsd.org, svn-doc-all@freebsd.org, doc-committers@freebsd.org Subject: Re: svn commit: r41813 - head/en_US.ISO8859-1/books/handbook/basics Message-ID: <20130603102311.64fa5210.trhodes@FreeBSD.org> In-Reply-To: <CAF6rxg=45Rz2spT5JWq8fHWx0T1EOFJ4dxNx5PimB%2BJyQE%2BwQw@mail.gmail.com> References: <201306011544.r51FijdA036793@svn.freebsd.org> <20130603075528.31629010.trhodes@FreeBSD.org> <CAF6rxg=45Rz2spT5JWq8fHWx0T1EOFJ4dxNx5PimB%2BJyQE%2BwQw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 3 Jun 2013 14:49:49 +0200 Eitan Adler <eadler@freebsd.org> wrote: > On 3 June 2013 13:55, Tom Rhodes <trhodes@freebsd.org> wrote: > > On Sat, 1 Jun 2013 15:44:45 +0000 (UTC) > > Eitan Adler <eadler@FreeBSD.org> wrote: > > > >> Author: eadler > >> Date: Sat Jun 1 15:44:45 2013 > >> New Revision: 41813 > >> URL: http://svnweb.freebsd.org/changeset/doc/41813 > >> > >> Log: > >> The man page for mount(1) and the handbook disagree on the security value of 'noexec'. The man page is correct. > >> > >> Modified: > >> head/en_US.ISO8859-1/books/handbook/basics/chapter.xml > >> > >> Modified: head/en_US.ISO8859-1/books/handbook/basics/chapter.xml > >> ============================================================================== > >> --- head/en_US.ISO8859-1/books/handbook/basics/chapter.xml Sat Jun 1 15:37:57 2013 (r41812) > >> +++ head/en_US.ISO8859-1/books/handbook/basics/chapter.xml Sat Jun 1 15:44:45 2013 (r41813) > >> @@ -1790,15 +1790,6 @@ root 5211 0.0 0.2 3620 1724 2 > >> > >> <variablelist> > >> <varlistentry> > >> - <term>noexec</term> > >> - > >> - <listitem> > >> - <para>Do not allow execution of binaries on this file > >> - system. This is also a useful security option.</para> > >> - </listitem> > >> - </varlistentry> > >> - > >> - <varlistentry> > >> <term>nosuid</term> > >> > >> <listitem> > > > > Why not fix rather than remove? > > This is not really a 'common' mount option to use. Not true. In EVERY environment where a chrooted web or FTP server existed, mounting file systems via NFS from an internal server containing the site data, had this option. In fact, I don't recall ever being in an environment where noexec was missing. In addition, in the US, this option is provided as a government requirement in the NIST 800-53 standards, part of the CIS benchmark for FreeBSD, Linux, Solaris, etc.; part of DISA, Linux USGCB, and is also recommended by SANS (and discussed in GIAC certification requirements). While I would agree this is not an enable and consider "secure" mount option, it's always used in conjuction with other security features/controls and users really should understand and know that it exists. Thanks, -- Tom Rhodes
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130603102311.64fa5210.trhodes>