[Samba] noexec as CVE-2017-7494 mitigation

Reindl Harald h.reindl at thelounge.net
Fri May 26 11:41:19 UTC 2017

Am 26.05.2017 um 10:19 schrieb Klaus Hartnegg via samba:
> Am 24.05.2017 um 17:50 schrieb Jeremy Allison via samba:
>> Here are some mitigation techniques from Red Hat in
>> case servers cannot be patched immediately:
>> 2. Mount the filessytem which is used by samba for its writeable share,
>> using "noexec" option.
> I would have expected this to be standard security precaution on all 
> pure file servers (which is probably the most common use of Samba).
> Should the Samba-Wiki tell so, or shouldn't all Linux admins be sane 
> enough do already do this?

that is only true in a limited view

on real servers: yes - at least for a decade all my data-partitions for 
any server type are mounted "noexec" - but on homeservers you likely are 
not always in the position because you can't or will not split your 
drive in tons of partitions

Filesystem     Type  Size  Used Avail Use% Mounted on
/dev/md1       ext4   29G  7.0G   22G  25% /
/dev/md0       ext4  485M   53M  428M  12% /boot
/dev/md2       ext4  3.6T  2.3T  1.3T  65% /mnt/data

guess what - the large /mnt/data also contains my userhomes which are 
not happy with "noexec" if you run a desktop and just have some folders 

More information about the samba mailing list