Noexec on /home

zaxxon · April 10, 2015, 4:14am

Hi all,

I read in some documents that it is advised to use the mount option noexec also on /home . I can live with a nosuid but since I am writing scripts in /home and also execute them for testing etc., it is very annoying if I would be forced to copy the scripts all the time to /tmp for executing them.
Sadly in my current environment, admins are using noexec on /home as a standard setting on every box.

So from my view, noexec on /home is a tad too much.
Does anyone of you have experience with this in your environment or is there a mere explicit example, why this is ok and should be a "must have"?

Thanks in forward.

Peasant · April 10, 2015, 5:35am

None as i see it.

You can still execute the script like bash script.sh , ignoring the noexec option completely.

Perhaps other members will shed more light on usage, but i don't see it securing anything special.

hergp · April 10, 2015, 5:53am

The only situation I can think of where this might be useful is a shared webhosting environment with ssh access. In this case the admins might want you not to execute any stuff not provided by the hoster.

But to make this work, there must not be one single place on any not noexec 'd filesystem where the user has write access, or he can run his programs from there.

Also, as Peasant pointed out, for shell scripts there is a trivial workaround.

achenle · April 10, 2015, 8:38am

Just work around it.

And rejoice in the plausible deniability it provides you should you ever want to run something they'd deem illicit. In order to nail you for that, they'd first have to demonstrate their own incompetence:

"I thought you had configured our systems so no one would be able to run unapproved apps?"

"Well, we don't know what we're doing."

"Oh, but we should trust your claims about what zaxxon did?"

zaxxon · April 10, 2015, 10:35am

Hey guys,
thanks all for your answers. Proves that I didn't really seem to miss something crucial so far. Anyway as you said "work around it" is they way I will have to go since talking/discussion is futile.

I got an official answer but no explanation at all. Security is a killer argument here and it is applied generously here and they simply wait if someone starts to moan under this heavy blanket.
Anything else is looked at like as if it was heresy and I am getting tired of it

Have a nice weekend all!

Corona688 · April 10, 2015, 11:28am

Hang on, hang on -- they have noexec on home and don't have it on tmp? tmp is world-writable for goodness sake.

I have the opposite situation, noexec on /tmp/, normal home folders. I also have /boot mounted read-only, which was necessary to avoid an injection attack until the real vulnerability was discovered.