noexec on /dev/shm

Tue Dec 14 13:55:46 UTC 2010

On 12/14/2010 02:24 PM, Tomasz Torcz wrote:
> On Tue, Dec 14, 2010 at 01:53:37PM +0100, Miloslav Trmač wrote:
>> Matthew Miller píše v Út 14. 12. 2010 v 07:39 -0500:
>>> On Mon, Dec 13, 2010 at 11:57:51PM +0100, Dominik 'Rathann' Mierzejewski wrote:
>>>>> the MS_NOEXEC flags is in private systemd fstab, see
>>>>> systemd/src/mount-setup.c:
>>>> You're not kidding. Could the author of this code (I'm guessing...
>>>> Lennart?) please explain this extremely bright idea of hard-coding
>>>> what should be admin-configurable?
>>> That's not a very constructive wording. Filing a bug showing your use-case
>>> would be helpful.
>> Changing the semantics of /etc/fstab without any consultation with
>> fedora-devel or even notification of Fedora that something so
>> long-standing is changing is hardly constructive either.
>>
>> I can happily live with "systemd is a new, better init system" without
>> knowing the details.  I consider "systemd replaces 15% of /etc and
>> changes semantics of another 5%" without discussing the details in
>> advance unacceptable for the distribution as a whole, although this
>> decision is of course FESCo's.
>> 	Mirek
>   Let's keep discussion calm and technical.  
>  “Systemd contains native implementations of various tasks that need to
>  be executed as part of the boot process. For example, it sets the host name 
> or configures the loopback network device. It also sets up and
>        mounts various API file systems, such as /sys or /proc.”
>
>   We saw it includes /dev, /dev/shm etc.  Is there any *reasonable* need
> to mount sysfs somewhere else than /sys. Or /dev with mode other than 755?
> Those all directories are mounted _identically_ on every Linux distribution
> down here.  Why pollute fstab with repeated lines on million machines?
>
>   I can see that it may look like taking power from admin, but has
> anyone ever changed how devpts is mounted?  Really?  Being able
> to change for the sake of ability is not always sane.  There are
> things which we can change, and some things which shouldn't be touched
> by admin.  And I'm not proposing dumbing down admin.  Back when
> I run Slackware I rewrote part of the initscripts to suit me.
> But really, admin should worry about important things, better
> leave boring (and identical across distros) parts to someone else.
>
>   Original problem could be solved by configuring some scratch
> tmpfs in /mnt/scratch or somewhere else.
>
The problem is not the technical solution. Problem is that changes of
such important thing like /etc/fstab are decided without Fedora developers.
Usually such change would be discussed before on list and it would be
feature for new Fedora. It's not even mentioned on Systemd Feature page.

-- 
Marcela Mašláňová
BaseOS team Brno