Question about noexec flag in HAL
Kris Moore
kris at pcbsd.com
Wed Apr 30 16:03:03 UTC 2008
Joe,
Thanks for getting back to me on this. Is there any way we can drop this
flag by default? It messes with our PBI system, which are executables.
Currently users have to copy a PBI file from CD or USB to their desktop
before installing, when they should really be able to just double-click
and have it go. I don't believe their will be any security issues, in
past versions of HAL I've been taking this flag out, and we've not seen
any problems with doing so.
Thanks!
--
Kris Moore
PC-BSD Software
http://www.pcbsd.com
Joe Marcus Clarke wrote:
> On Tue, 2008-04-29 at 15:07 -0400, Kris Moore wrote:
>> Hopefully just a quick question. In the past I've had to compile HAL
>> with a patch to disable the noexec flag from being used when mounting
>> CD's. The lines in question are below:
>>
>> tools/hal-storage-mount.c
>> #ifdef __FreeBSD__
>> #define MOUNT "/sbin/mount"
>> -#define MOUNT_OPTIONS "noexec,nosuid"
>> +#define MOUNT_OPTIONS "nosuid"
>> #define MOUNT_TYPE_OPT "-t"
>>
>> This has been rather of a pain, since I don't want to keep making a
>> custom patch to remove this flag. Is there some other easy way to remove
>> the noexec flag from being used in CD mounting? I've tried by putting
>> this in my /usr/local/etc/hal/fdi/policy/preferences.fdi file:
>>
>> <device>
>> <match key="volume.fstype" string="iso9660">
>> <merge key="volume.policy.mount_option.noexec"
>> type="bool">false</merge>
>> </match>
>> </device>
>>
>> However, it doesn't seem to make a difference :(
>>
>>
>> Any other hints? Or am I stuck patching HAL itself?
>
> For now, you'll have to patch hal. It's up to the application
> requesting the FS mount to specify the mount options. However, the
> hardcoded mount options cannot be overridden. I'm willing to entertain
> the idea of dropping noexec as Linux does, but I'm not sure what the
> overall security impact of that change might be.
>
> Joe
>
>>
>>
>> ------------------------------------------------------------------------
>>
>> !DSPAM:1,4818032020032091057336!
More information about the freebsd-gnome
mailing list