[BBLISA] noexec

[Tom Metro]

Scott Ehrlich wrote:
> Is it possible to permanently change /tmp and /var/tmp to chmod o-wx, 
> and then prevent anything from ever creating world writable and 
> executable in those folders?

No. What good is an unwritable /tmp?

I think what you're trying to reinvent here is noexec. If that's the 
behavior you want, then use it. It may necessitate repartitioning your 
disk so /tmp and /home go on their own file system.

The other issue to raise in this thread is that it feels a bit 
antiquated to be imposing these kinds of restrictions on users of a 
system. If they are really that untrustworthy, then they would be better 
served bing boxed off in a virtual machine. Then you can impose disk, 
memory, network, and other restrictions on the entire VM.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/