noexec on /dev/shm
Richard W.M. Jones
rjones at redhat.com
Tue Dec 14 14:25:38 UTC 2010
On Tue, Dec 14, 2010 at 02:24:53PM +0100, Tomasz Torcz wrote:
> We saw it includes /dev, /dev/shm etc. Is there any *reasonable* need
> to mount sysfs somewhere else than /sys. Or /dev with mode other than 755?
> Those all directories are mounted _identically_ on every Linux distribution
> down here. Why pollute fstab with repeated lines on million machines?
The issue here isn't that the reporter wanted to mount them somewhere
else, but he wanted to set the default mount options to something else
(or in fact to set them back to how they are now -- systemd has
decided to use some other mount options entirely without consulting
anyone else).
I think it's very reasonable to want to edit /etc/fstab to change the
default mount options of these filesystems. Suppose that /dev/shm
defaults to allowing suid and exec. At some point in the future a
security problem is found which can be worked around by temporarily
setting nosuid on /dev/shm (while the real issue is fixed). An
administrator can't do that without recompiling systemd.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw
More information about the devel
mailing list