0

I had a long conversation about the "noexec" mount option here.

Unfortunately it looks like all this moot. The problem is that I am trying to add the "noexec" option to the "bind"-ed mountpoint. Something like this:

/bin/tmp   /tmp   none   defaults,bind,noexec 0 0

Adding "noexec" option as in the code above does not prevent a person to do, for example, cd /temp && cp /bin/cp ./ && cp.

So now the question is - is it possible to either make "noexec" working like this or do something else in order no to allow people to run program from (as in the example above) /tmp?

Thank you.

Igor
  • 265
  • 1
  • 4
  • 12
  • @davidgo solution will work, but I found another solution [here](https://serverfault.com/questions/359530/make-home-tmp-noexec-nodev-without-a-separate-patition). – Igor Nov 27 '17 at 20:41
  • While you were writing this comment I was testing a theory and got side-tracked - I don't think mounting noexec will help - I tried a script, which would not run directly, but which I could bypass with /bin/bash /noexecedmount/script.name – davidgo Nov 27 '17 at 21:38
  • @davidgo, that's a limitatgion of the `noexec` mount option. But the binary will not be executed. And IA will be able to run their scripts on the machine from /tmp as they have scripts they need to run from time to time. – Igor Nov 27 '17 at 21:54

1 Answers1

1

In order to prevent people running a program from /tmp you would need to use something like Apparmor, or more commonly SELinux. Depending on your users access (ie what applications they use) , you may find it easier to dump them in a chroot jail or, if its PHP, modify php.ini to prevent executing files from certain locations and calling shells.

davidgo
  • 68,623
  • 13
  • 106
  • 163