0

I had a long conversation about the "noexec" mount option here.

Unfortunately it looks like all this moot. The problem is that I am trying to add the "noexec" option to the "bind"-ed mountpoint. Something like this:

/bin/tmp   /tmp   none   defaults,bind,noexec 0 0

Adding "noexec" option as in the code above does not prevent a person to do, for example, cd /temp && cp /bin/cp ./ && cp.

So now the question is - is it possible to either make "noexec" working like this or do something else in order no to allow people to run program from (as in the example above) /tmp?

Thank you.

Igor
  • 305

1 Answers1

1

In order to prevent people running a program from /tmp you would need to use something like Apparmor, or more commonly SELinux. Depending on your users access (ie what applications they use) , you may find it easier to dump them in a chroot jail or, if its PHP, modify php.ini to prevent executing files from certain locations and calling shells.

davidgo
  • 73,366