$HOME/bin

[Les Mikesell]

Ed Greshko wrote:

>>>> The other catch is that being able to execute stuff in your home folder
>>>> is a bit of a security risk.
>> Andreas Bernauer:
>>> On what theory do you base this (IMHO weird) statement?  
>> Don't you read any of the security notices?  Mounting /home as noexec is
>> a very old, and wise, technique for making a system more secure.  The
>> same goes for mounting /tmp and /var noexec.  Why do you think there's
>> an option to mount a partition with the noexec parameter?
>>
>> If a user can create and run a program, they can do much more to a
>> system than one who can't.  Ordinarily, they can't do that.  At the
>> simplest level they can stuff up their own files, or bog a system down
>> with a heavy workload.  But if you exploit a software fault, at the same
>> time, you can do worse.
>>
>> All it takes is to browse a website that exploits your browser, and
>> there's an unknown program running on your computer.  But without any
>> execute permissions, it can't do a thing.
> 
> I'm sorry....  Are you saying that mounting /home as noexec is a good thing
> since folks that are compiling/testing programs won't be allowed to get
> their work done?
> 
> Sorry a bit confused here....  Sure, it is only Monday.

There are always tradeoffs between usability and security.  This one is 
pretty extreme, even for people who just write a few convenience scripts 
so they don't have to repeated type long command lines to unix tools for 
things they do more than once.

-- 
   Les Mikesell
    lesmikesell at gmail.com