noexec on /dev/shm

Tomasz Torcz tomek at pipebreaker.pl
Tue Dec 14 13:24:53 UTC 2010 

On Tue, Dec 14, 2010 at 01:53:37PM +0100, Miloslav Trmač wrote:
> Matthew Miller píše v Út 14. 12. 2010 v 07:39 -0500:
> > On Mon, Dec 13, 2010 at 11:57:51PM +0100, Dominik 'Rathann' Mierzejewski wrote:
> > > > the MS_NOEXEC flags is in private systemd fstab, see
> > > > systemd/src/mount-setup.c:
> > > You're not kidding. Could the author of this code (I'm guessing...
> > > Lennart?) please explain this extremely bright idea of hard-coding
> > > what should be admin-configurable?
> > 
> > That's not a very constructive wording. Filing a bug showing your use-case
> > would be helpful.
> Changing the semantics of /etc/fstab without any consultation with
> fedora-devel or even notification of Fedora that something so
> long-standing is changing is hardly constructive either.
> 
> I can happily live with "systemd is a new, better init system" without
> knowing the details.  I consider "systemd replaces 15% of /etc and
> changes semantics of another 5%" without discussing the details in
> advance unacceptable for the distribution as a whole, although this
> decision is of course FESCo's.
> 	Mirek

  Let's keep discussion calm and technical.  
 “Systemd contains native implementations of various tasks that need to
 be executed as part of the boot process. For example, it sets the host name 
or configures the loopback network device. It also sets up and
       mounts various API file systems, such as /sys or /proc.”

  We saw it includes /dev, /dev/shm etc.  Is there any *reasonable* need
to mount sysfs somewhere else than /sys. Or /dev with mode other than 755?
Those all directories are mounted _identically_ on every Linux distribution
down here.  Why pollute fstab with repeated lines on million machines?

  I can see that it may look like taking power from admin, but has
anyone ever changed how devpts is mounted?  Really?  Being able
to change for the sake of ability is not always sane.  There are
things which we can change, and some things which shouldn't be touched
by admin.  And I'm not proposing dumbing down admin.  Back when
I run Slackware I rewrote part of the initscripts to suit me.
But really, admin should worry about important things, better
leave boring (and identical across distros) parts to someone else.

  Original problem could be solved by configuring some scratch
tmpfs in /mnt/scratch or somewhere else.

-- 
Tomasz Torcz                 "God, root, what's the difference?"
xmpp: zdzichubg at chrome.pl         "God is more forgiving."

More information about the devel mailing list