noexec

Integer. noexec is modifiable.

This variable does not apply to pbssh. If it is present in the policy, and set to 1, pbrun, pblocald, pbsh, and pbksh will attempt to prevent the secured task from performing an exec to launch a new program (for example, prevent vi's shell escape :!/bin/bash).

This mechanism uses the LD_PRELOAD or equivalent mechanism to load a Privilege Management for Unix and Linux shared library that intercepts the exec family of library calls.

The noexec feature requires Privilege Management for Unix and Linux 8.5.0 runhosts. Any previous version of runhost silently ignores the noexec feature.

Care should be used when enabling noexec for shell scripts (these normally exec other programs).

  • The noexec feature is not supported on macOS systems.
  • The noexec feature works only for binaries that are dynamically linked, on operating systems that support the LD_PRELOAD or equivalent mechanism.
  • The noexec feature supports setuid programs only on Linux and Solaris run hosts.
  • The noexec feature cannot execute shell scripts that lack the #!/path/shell specification.
  • The noexec feature currently does not support the Privilege Management for Unix and Linux execute_via_su feature.
  • HP-UX 11.11 requires linker patch PHSS_22535 or newer.
noexec=1;

Valid values are 0 and 1. This variable has default value of 0.

noexec=1;

For more information, please see the Unix/Linux manual pages for the ld.so (Linux), ld.so.1 (Solaris), ld (HP-UX), and dld.sl (HP-UX) commands.