Received: from mailgate01.uberspace.is (mailgate01.uberspace.is [IPv6:2001:1a50:11:0:c83f:a8ff:fea6:c8da])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 5D67A2231F6
	for <~alpine/users@lists.alpinelinux.org>; Sun, 10 Aug 2025 17:57:16 +0000 (UTC)
Received: from borrelly.uberspace.de (borrelly.uberspace.de [185.26.156.67])
	by mailgate01.uberspace.is (Postfix) with ESMTPS id 28E956068E
	for <~alpine/users@lists.alpinelinux.org>; Sun, 10 Aug 2025 19:57:14 +0200 (CEST)
Received: (qmail 24680 invoked by uid 500); 10 Aug 2025 17:57:14 -0000
Authentication-Results: borrelly.uberspace.de;
	auth=pass (plain)
Received: from unknown (HELO unkown) (::1)
	by borrelly.uberspace.de (Haraka/3.0.1) with ESMTPSA; Sun, 10 Aug 2025 19:57:13 +0200
Message-ID: <7b2ab61d-f076-45c4-a64d-757d4b0e8a1b@steeph.de>
Date: Sun, 10 Aug 2025 19:59:37 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Mount option `noexec` not working as expected?
To: ~alpine/users@lists.alpinelinux.org
References: <CALVR4_07MK9b_eUBydkuw4EOLvcerPZkp_7iBZnXr-2wLbEFbQ@mail.gmail.com>
Content-Language: en-US
From: steeph <ml@steeph.de>
In-Reply-To: <CALVR4_07MK9b_eUBydkuw4EOLvcerPZkp_7iBZnXr-2wLbEFbQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Rspamd-Bar: --
X-Rspamd-Report: BAYES_HAM(-2.914865) XM_UA_NO_VERSION(0.01) SUBJECT_ENDS_QUESTION(1) MIME_GOOD(-0.1)
X-Rspamd-Score: -2.004865
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
	d=steeph.de; s=uberspace;
	h=from:to:subject:date;
	bh=DQCIYw5advPva9aj/7zFRDnbmfCVF3ZNDRV7GfHjOo8=;
	b=pRHAB/ZBf6UOB6umyHpyFyW4Xsn4gvM/nNQ9dtJyANFibNh6lX/c9jh/R47p0Aa7rFreJZKq7j
	PzaTfpm6/8zd1qucmio13XnSAqXiGox7i1O9eBa7Yoa+cK8TzvdqFBGTURRmKfyEHlcOVK0sEEQY
	AmMoGV5SfUHbyVf2pJgki2fhreNa5aw8JaoetIQ3OjANAxrTrhP948xAsMWbI9yvIA+p7dW7WK/+
	QhBYD2Bl7nDxo2QppyZ5fbb0qLfvwxo/qM+jeN+AVySTuC+gpGE0dY0aa4QizlachhF+8q8wyMTy
	rgwXYDBm/LN5fGxjxvuv+gzD3vAnXG8VKVmL9uALUs0LZtI08UUSocltu/t3h5P9DRQNnhvaRuAi
	XdFqTs+KvHSQ3CXWeOW09BLCQ6CGj0f5qVonGHHJ1nUatfFgU5hvcO6LYRhXxhv66Icg2F8Mg25t
	D8wR4cKJl8Kddm9cRn+etke7mn53TJCT2YY2M3iuXyQd60w0yX/8lbtKTXuQxakOF5GqCFZfW6MP
	acpcQIUQ41GmMUIlLq9OuFt/eiyR4KTWIBSBwn6yYZEzvlvfzmgb7HeavmzL90c27skbrzc/J668
	dwQZBqQE+mdyPOypkAFBlxkwOBinWMYmu9Z5vm/LYULD3f0OUcs2tG4GgZJwNB0Z7O7i2WKjHfJF
	I=

Hi!

This is normal behaviour. hello.sh is not executable, but ash is and 
still can take hello.sh as an argument. Neither noexec nor removing exec 
permission from hello.sh can prevent ash from being executed and reading 
hello.sh.

Best regards
steeph


On 8/10/25 19:50, Rolf wrote:
> Dear friends
>
> Alpine 3.22.1 x86_64
>
> In my `/etc/fstab`, there is the following entry for my data
> partition, as suggested in
> https://wiki.alpinelinux.org/wiki/Securing_Alpine_Linux#User_and_access_management,
> "2. Configure mount options":
> 'UUID=<uuid>  /vol/ext4  ext4  defaults,nosuid,nodev,noexec 0 2'
>
> However, shell scripts in /vol/ext4/bin appear to be executable by the
> owner all the
> same:
> ```
> $ ls -l /vol/ext4/bin/
> total 4
> -rwx------    1 <user>    <group>           24 Aug 10 18:55 hallo.sh
> $ ./hallo.sh
> /bin/ash: ./hallo.sh: Permission denied
> $ $ ash ./hallo.sh
> hallo!
> ```
>
> If done by a different user:
> ```
> $ ./hallo.sh
> -ash: ./hallo.sh: Permission denied
> $ ash ./hallo.sh
> ash: can't open './hallo.sh': Permission denied
> ``
>
> Is there something I have misunderstood about the concept of the `noexec`
> option and shell scripts, or have I misconfigured something?
>
> Many thanks and best regards
>
> Rolf