noexec

Data Type

Integer. noexec is modifiable.

Description

This variable does not apply to pbssh. If it is present in the policy, and set to 1, pbrun, pblocald, pbsh, and pbksh will attempt to prevent the secured task from performing an exec to launch a new program (for example, prevent vi's shell escape :!/bin/bash).

This mechanism uses the LD_PRELOAD or equivalent mechanism to load an Endpoint Privilege Management for Unix and Linux shared library that intercepts the exec family of library calls.

The noexec feature requires Endpoint Privilege Management for Unix and Linux 8.5.0 runhosts. Any previous version of runhost silently ignores the noexec feature.

Care should be used when enabling noexec for shell scripts (these normally exec other programs).

Restrictions

  • The noexec feature works only for binaries that are dynamically linked, on operating systems that support the LD_PRELOAD or equivalent mechanism.
  • The noexec feature supports setuid programs only on Linux and Solaris run hosts.
  • The noexec feature cannot execute shell scripts that lack the #!/path/shell specification.
  • The noexec feature currently does not support the Endpoint Privilege Management for Unix and Linux execute_via_su feature.
  • HP-UX 11.11 requires linker patch PHSS_22535 or newer.

Syntax

noexec=1;

Valid Values

Valid values are 0 and 1. This variable has default value of 0.

noexec=1;

For more information, please see the Unix/Linux manual pages for the ld.so (Linux), ld.so.1 (Solaris), ld (HP-UX), and dld.sl (HP-UX) commands.