On 02/13/2014 03:16 AM, Chris Murphy wrote:
How significant is the risk of stale binaries being persistently
available in the normal file system hierarchy? Should something be done
to either make sure they aren't persistently available (make sure they
aren't available in the mounted file system hierarchy), and if they're
mounted should noexec or nosuid be used?
This is similar to security measurements (version status and malware
scanning) on suspend virtual machines or their snapshots. I think a
considerable amount of cycles has been spent on trying to address it
there. The libvirt folks might already have something.
--
Florian Weimer / Red Hat Product Security Team