noexec on /dev/shm
Tomasz Torcz
tomek at pipebreaker.pl
Tue Dec 14 20:39:46 UTC 2010
On Tue, Dec 14, 2010 at 02:25:38PM +0000, Richard W.M. Jones wrote:
> On Tue, Dec 14, 2010 at 02:24:53PM +0100, Tomasz Torcz wrote:
> > We saw it includes /dev, /dev/shm etc. Is there any *reasonable* need
> > to mount sysfs somewhere else than /sys. Or /dev with mode other than 755?
> > Those all directories are mounted _identically_ on every Linux distribution
> > down here. Why pollute fstab with repeated lines on million machines?
>
> The issue here isn't that the reporter wanted to mount them somewhere
> else, but he wanted to set the default mount options to something else
> (or in fact to set them back to how they are now -- systemd has
> decided to use some other mount options entirely without consulting
> anyone else).
>
> I think it's very reasonable to want to edit /etc/fstab to change the
> default mount options of these filesystems. Suppose that /dev/shm
> defaults to allowing suid and exec. At some point in the future a
> security problem is found which can be worked around by temporarily
> setting nosuid on /dev/shm (while the real issue is fixed). An
> administrator can't do that without recompiling systemd.
Of course administrator can temporary override:
mount /dev/shm -o remount, nosuid
Or even have it stick after reboot, by droping in /etc/systemd/system/
following unit definition¹:
--
[Unit]
Description=Temporary workaround for CVE-x
DefaultDependencies=false
WantedBy=local-fs.target
[Service]
ExecStart=/bin/mount /dev/shm -o remount, nosuid
Type=oneshot
--
While I agree that hidden mounts are bad idea, they're
still visible in "systemctl -t mount" and "findmnt" output.
¹ created ad-hoc to show idea, not tested
--
Tomasz Torcz RIP is irrevelant. Spoofing is futile.
xmpp: zdzichubg at chrome.pl Your routes will be aggreggated. -- Alex Yuriev
More information about the devel
mailing list