HPE Community
Operating System - HP-UX
1833755 Members
2756 Online
110063 Solutions
New Discussion

using acl instead of noexec mount option

 
Alexandre Arents
Occasional Advisor

‎02-06-2006 03:38 AM

‎02-06-2006 03:38 AM

using acl instead of noexec mount option

Hi all,

I read in few thread and manual that vxfs does'nt support noexec mount option.

In the following link, Florian Heigl said that he can avoid the file execution in /tmp with a little hack using acl:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=853550

But I am not able to do that,
we can setup a directory to disable execution flag when a file is created into that directory, but after the user can chmod a+x this file..

Maybe I misunderstood acl..

any idea ?

regards,
Alexandre




0 Kudos
3 REPLIES 3
Florian Heigl (new acc)
Honored Contributor

‎02-07-2006 10:09 AM

‎02-07-2006 10:09 AM

Re: using acl instead of noexec mount option

I think I misunderstood ACLs capabilities myself. (And I only said I wanted to look into it *g*)

I hadn't expected a user could override the ACLs with a normal chmod, but I think this was more by a misconception of myself, I kind of expect the directory ACL to be propagated to a newly created file.
(And expect on NetWare this was a stupid assumption of mine)


On a side note, a few months I had a conversation with a friend concerning the use of noexec and he told me it's easily come by anyway using the shared library loader.
'easily' at least in his terms, and he actually studies that stuff ;)
I still think noexec would help fencing off the random kiddie, but it has less worth than I assumed.

FYI - I ran a apache2+php webserver on my hp box for over a year, and when it finally died it was due to a broken harddisk, not due to hackers.

the only security measures I took was
-disabling all unwanted modules
-having the webroot mostly readonly for the apache process
-chrooted apache (using the hp supplied script)
-non-priveledged apache on port 8080 and made available to port 80 by port forwarding
-php got it's own tmp directory inside the chroot

I'm sorry I don't have looked into the ACLs more, they're not in use at my workplace at all. :/
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Jakes Louw
Trusted Contributor

‎02-07-2006 04:37 PM

‎02-07-2006 04:37 PM

Re: using acl instead of noexec mount option

As far as I remember, HP-UX does not support ACLs on VxFS, only on standard HFS filesystems.
Trying is the first step to failure - Homer Simpson
0 Kudos
Alexandre Arents
Occasional Advisor

‎02-07-2006 07:56 PM

‎02-07-2006 07:56 PM

Re: using acl instead of noexec mount option

Thank you to give me this explain.
I think I should search in an another way to meet my needs.

Jakes Louw, it seems that acl comes by default on hp-ux 11i with vxfs v4

regards,
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.