Re: Re: Mounting /dev/shm noexec
Also related https://github.com/systemd/systemd/pull/17238#discussion_r499375614 signature.asc Description: OpenPGP digital signature
Re: Mounting /dev/shm noexec
Hi, and thank you all for the great replies! So I added the following line to fstab: tmpfs /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0 and it works, just as you said it would. No second /dev/shm popping up or other stuff I had assumed. (I'm not sure if it now takes a second longer for the GNOME login screen to appear after boot, but I didn't find any errors in logs and things seem to work.) Steve McIntyre wrote: > Andy Smith wrote: > > > Though note that it seems systemd once did use "noexec" for /dev/shm > > but stopped 10 years ago because it broke some uses of mmap: > > > > > > https://github.com/systemd/systemd/commit/501c875bffaef3263ad42c32485c7fde41027175 > > libffi also has a habit of using /dev/shm for writing temporary > trampolines for cross-language calls, and they need to be executable. I'll keep these in mind if I run into problems later on. Kind regards, Valter Jaakkola
Re: Mounting /dev/shm noexec
Andy Smith wrote: ... >Though note that it seems systemd once did use "noexec" for /dev/shm >but stopped 10 years ago because it broke some uses of mmap: > > > https://github.com/systemd/systemd/commit/501c875bffaef3263ad42c32485c7fde41027175 libffi also has a habit of using /dev/shm for writing temporary trampolines for cross-language calls, and they need to be executable. -- Steve McIntyre, Cambridge, UK.st...@einval.com "You can't barbecue lettuce!" -- Ellie Crane
Re: Mounting /dev/shm noexec
Hello, On Fri, Oct 02, 2020 at 10:35:51PM +0300, Valter Jaakkola wrote: > So where can I change the mounting parameters of /dev/shm, or otherwise > arrange > it so that /dev/shm is noexec already at/after boot? > > (Out of curiosity, where is /dev/shm mounted from?) I think from systemd: https://github.com/systemd/systemd/blob/c7828862b39883cf1f55235a937d29588d5a806b/src/core/mount-setup.c#L79 and I think if you wish to alter the mount options you should put it in /etc/fstab and then systemd will do the equivalent of: # mount -oremount /dev/shm to get your options set, though there would be a small window where it had the default options. Though note that it seems systemd once did use "noexec" for /dev/shm but stopped 10 years ago because it broke some uses of mmap: https://github.com/systemd/systemd/commit/501c875bffaef3263ad42c32485c7fde41027175 On SysV init systems I think this is part of the initscripts package. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: Mounting /dev/shm noexec
On 2020-10-02 22:35 +0300, Valter Jaakkola wrote: > I an effort to increase security one of the things I'm trying to do is to have > no world-writable directories where anything (well, binaries at least) could > be > executed from. I use Debian Linux 10 amd64. (I'm a home user.) > > When I run `sudo find / -type d -perm -2` and remove from the listing the > directories which are on noexec-mounted partitions, just /dev/shm and > /dev/mqueue are left (and some docker directories in /var/lib/docker/overlay2, > to which I can't write as a normal user). There are a few other directories where users can typically write to and execute binaries, though: /tmp, /var/tmp, $HOME, /run/user/$USER. > The problem for me is mounting /dev/shm noexec -- I can't find where to do > it. I > couldn't find a lot of information about this on the internet. The few sources > mostly only suggest adding it to fstab, but I'm hesitant about this as it > isn't > there already. I'd rather change the settings at the source, where it's > mounted > in the first place. > > I also ran `grep -rwlsI -e shm` through /etc and /usr/share but didn't find > anything that would've looked like the mounting of /dev/shm, or where > parameters > for it could have been changed. > > So where can I change the mounting parameters of /dev/shm, or otherwise > arrange > it so that /dev/shm is noexec already at/after boot? In /etc/fstab. :-) > (Out of curiosity, where is /dev/shm mounted from?) It's mounted by systemd, the list of core systems it mounts is hardcoded in the source[1]. Filesystems that appear in /etc/fstab are remounted with the options given there (for the gory details see systemd-fstab-generator(8) and systemd.mount(5)). Cheers, Sven 1. https://sources.debian.org/src/systemd/241-7~deb10u4/src/core/mount-setup.c/#L61
Re: Mounting /dev/shm noexec
Valter Jaakkola wrote: > So where can I change the mounting parameters of /dev/shm, or otherwise > arrange it so that /dev/shm is noexec already at/after boot? > > (Out of curiosity, where is /dev/shm mounted from?) perhaps you are looking for tmpfs settings AT least here it is mounted as tmpfs and this is done by udev AFAIK try $ grep -r tmpfs /etc/
Mounting /dev/shm noexec
Hi, I an effort to increase security one of the things I'm trying to do is to have no world-writable directories where anything (well, binaries at least) could be executed from. I use Debian Linux 10 amd64. (I'm a home user.) When I run `sudo find / -type d -perm -2` and remove from the listing the directories which are on noexec-mounted partitions, just /dev/shm and /dev/mqueue are left (and some docker directories in /var/lib/docker/overlay2, to which I can't write as a normal user). I assume that /dev/mqueue being exec-mounted doesn't have the same risks as /dev/shm, as mqueue is not(?) an ordinary filesystem where one could save files and execute them, right? (Or so it appears to me after some experimentation and reading.) The problem for me is mounting /dev/shm noexec -- I can't find where to do it. I couldn't find a lot of information about this on the internet. The few sources mostly only suggest adding it to fstab, but I'm hesitant about this as it isn't there already. I'd rather change the settings at the source, where it's mounted in the first place. I also ran `grep -rwlsI -e shm` through /etc and /usr/share but didn't find anything that would've looked like the mounting of /dev/shm, or where parameters for it could have been changed. So where can I change the mounting parameters of /dev/shm, or otherwise arrange it so that /dev/shm is noexec already at/after boot? (Out of curiosity, where is /dev/shm mounted from?) (Additional suggestions regarding security are most welcome, too.) Kind regards, Valter Jaakkola
