>>Yes, highly verbotten. There is another way to accomplish this. I'll
>>take a look, but I would suggest making THAT check dependent on a sysctl
>>variable that defaults to "off".
>
>I already suggested the sysctl. Problem is, this check doesnt
>acutally close the loophole Thor is worried about, unless you also
>(at a minimum) prohibit anyone from setting x bits on files on a
>filesystem mounted writable-but-noexec.

oh yeah. there's always something. i guess the mmap/noexec check is
the "best" solution.

-- 
|-----< "CODE WARRIOR" >-----|
codewarriordaemon.org             * "ah!  i see you have the internet
twofsonetgraffiti.com (Andrew Brown)                that goes *ping*!"
andrewcrossbar.com       * "information is power -- share the wealth."

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]