Apologies it's a little scattered. Roughly it's about dealing with situations where you can execute a command but now want to run a native executable, and how much noise such a thing will make in the presence of monitoring.

> Couldn't you create a temporary file in-memory (e.g. in /dev/shm or in some tmpfs), make it executable (+x) and then execute it?

It all depends on how your environment is set up: whether a tmpfs or shm device is mounted and writable by your user is up to the admin. For example, on many embedded devices you often want to avoid writes to prevent any sort of filesystem wear, or because you have a write-once media like a ROM; so the whole fs will be mounted readonly. With chroots it's best practice to provide a minimal environment - unless tempfiles are needed there will usually not be a /tmp. Try `docker run --read-only -ti ubuntu bash` as another example:

``` root@9302f159e0e0:/tmp# touch a touch: cannot touch 'a': Read-only file system ```

My apologies for the delay, Joe, I was on vacation. Now that I'm home, I gave this a try but at least on my machine writing to /dev/shm/ works as I remembered, even with --read-only:

    $ docker run --read-only -ti ubuntu bash
    root@3dfdab770505:/# echo "bar" > /dev/shm/foo
    root@3dfdab770505:/# cat /dev/shm/foo
    bar

So, again, couldn't you just write your binary to /dev/shm and execute it?

It is fairly common to have noexec on /dev/shm; filesystem configurations are always up to the admin so they could feasibly set anything.

Thanks for reminding me of noexec; I'm no Linux security expert by any means, so I was merely trying to figure out what's possible and what's not.

It looks like mounting /dev/shm with noexec is not that common, though, is it? See e.g.

https://unix.stackexchange.com/questions/670362/mounting-dev...

More generally, it regularly blows my mind how hard it is to harden a Linux installation, and how many pitfalls and caveats there are.