[Samba] noexec as CVE-2017-7494 mitigation
Reindl Harald
h.reindl at thelounge.net
Fri May 26 11:41:19 UTC 2017
Am 26.05.2017 um 10:19 schrieb Klaus Hartnegg via samba:
> Am 24.05.2017 um 17:50 schrieb Jeremy Allison via samba:
>
>> Here are some mitigation techniques from Red Hat in
>> case servers cannot be patched immediately:
>
>> 2. Mount the filessytem which is used by samba for its writeable share,
>> using "noexec" option.
>
> I would have expected this to be standard security precaution on all
> pure file servers (which is probably the most common use of Samba).
>
> Should the Samba-Wiki tell so, or shouldn't all Linux admins be sane
> enough do already do this?
that is only true in a limited view
on real servers: yes - at least for a decade all my data-partitions for
any server type are mounted "noexec" - but on homeservers you likely are
not always in the position because you can't or will not split your
drive in tons of partitions
Filesystem Type Size Used Avail Use% Mounted on
/dev/md1 ext4 29G 7.0G 22G 25% /
/dev/md0 ext4 485M 53M 428M 12% /boot
/dev/md2 ext4 3.6T 2.3T 1.3T 65% /mnt/data
guess what - the large /mnt/data also contains my userhomes which are
not happy with "noexec" if you run a desktop and just have some folders
shared
More information about the samba
mailing list