~alpine/users

3 3

Mount option `noexec` not working as expected?

Rolf <baflubaf@gmail.com>
Details
Message ID
<CALVR4_07MK9b_eUBydkuw4EOLvcerPZkp_7iBZnXr-2wLbEFbQ@mail.gmail.com>
DKIM signature
missing
Download raw message
10 days ago 
Dear friends

Alpine 3.22.1 x86_64

In my `/etc/fstab`, there is the following entry for my data
partition, as suggested in
https://wiki.alpinelinux.org/wiki/Securing_Alpine_Linux#User_and_access_management,
"2. Configure mount options":
'UUID=<uuid>  /vol/ext4  ext4  defaults,nosuid,nodev,noexec 0 2'

However, shell scripts in /vol/ext4/bin appear to be executable by the
owner all the
same:
```
$ ls -l /vol/ext4/bin/
total 4
-rwx------    1 <user>    <group>           24 Aug 10 18:55 hallo.sh
$ ./hallo.sh
/bin/ash: ./hallo.sh: Permission denied
$ $ ash ./hallo.sh
hallo!
```

If done by a different user:
```
$ ./hallo.sh
-ash: ./hallo.sh: Permission denied
$ ash ./hallo.sh
ash: can't open './hallo.sh': Permission denied
``

Is there something I have misunderstood about the concept of the `noexec`
option and shell scripts, or have I misconfigured something?

Many thanks and best regards

Rolf
steeph <ml@steeph.de>
Details
Message ID
<7b2ab61d-f076-45c4-a64d-757d4b0e8a1b@steeph.de>
In-Reply-To
<CALVR4_07MK9b_eUBydkuw4EOLvcerPZkp_7iBZnXr-2wLbEFbQ@mail.gmail.com> (view parent)
DKIM signature
missing
Download raw message
10 days ago 
Hi!

This is normal behaviour. hello.sh is not executable, but ash is and 
still can take hello.sh as an argument. Neither noexec nor removing exec 
permission from hello.sh can prevent ash from being executed and reading 
hello.sh.

Best regards
steeph


On 8/10/25 19:50, Rolf wrote:
> Dear friends
>
> Alpine 3.22.1 x86_64
>
> In my `/etc/fstab`, there is the following entry for my data
> partition, as suggested in
> https://wiki.alpinelinux.org/wiki/Securing_Alpine_Linux#User_and_access_management,
> "2. Configure mount options":
> 'UUID=<uuid>  /vol/ext4  ext4  defaults,nosuid,nodev,noexec 0 2'
>
> However, shell scripts in /vol/ext4/bin appear to be executable by the
> owner all the
> same:
> ```
> $ ls -l /vol/ext4/bin/
> total 4
> -rwx------    1 <user>    <group>           24 Aug 10 18:55 hallo.sh
> $ ./hallo.sh
> /bin/ash: ./hallo.sh: Permission denied
> $ $ ash ./hallo.sh
> hallo!
> ```
>
> If done by a different user:
> ```
> $ ./hallo.sh
> -ash: ./hallo.sh: Permission denied
> $ ash ./hallo.sh
> ash: can't open './hallo.sh': Permission denied
> ``
>
> Is there something I have misunderstood about the concept of the `noexec`
> option and shell scripts, or have I misconfigured something?
>
> Many thanks and best regards
>
> Rolf
donoban <donoban@riseup.net>
Details
Message ID
<5v4i4j53cddry3vzis372m627xxnbg7iibximtrjgm25ggaaoz@kyg4cg4p3b25>
In-Reply-To
<CALVR4_07MK9b_eUBydkuw4EOLvcerPZkp_7iBZnXr-2wLbEFbQ@mail.gmail.com> (view parent)
DKIM signature
missing
Download raw message
10 days ago 
On Sun, Aug 10, 2025 at 07:50:19PM +0200, Rolf wrote:
> Dear friends
> 
> $ $ ash ./hallo.sh
> hallo!

When you do this it only needs read permission since you are asking
'/bin/ash' (which can ben executed) to read and parse it.

> 
> If done by a different user:
> ```
> $ ./hallo.sh
> -ash: ./hallo.sh: Permission denied
> $ ash ./hallo.sh
> ash: can't open './hallo.sh': Permission denied
> ``

Has this user permission to read the file?
Rolf <baflubaf@gmail.com>
Details
Message ID
<CALVR4_0fc3AgvkyooVvBwwpF2EchjoSSuSfxv+ktW1LqY_i4kg@mail.gmail.com>
In-Reply-To
<7b2ab61d-f076-45c4-a64d-757d4b0e8a1b@steeph.de> (view parent)
DKIM signature
missing
Download raw message
10 days ago 
Dear donoban,
dear steeph

Many thanks for your prompt answers.

It's a bit embarrassing I had to ask this question, but I read the man
page for `mount` and
googled before writing to the mailing list, without having found and
answer, and apparently
without having fully understood the consequences of the concept of `noexec`.

I'm really grateful for your explanations!

Best regards

Rolf
Reply to thread Export thread (mbox)