On Mon, 2009-08-24 at 09:20 +0200, Thomas Bächler wrote: > Jan de Groot schrieb: > > Some applications like the ones mentioned in the original post will mmap > > files in /dev/ with the PROT_EXEC flag. When the filesystem is mounted > > as noexec, these mmap operations will fail. Even if the program doesn't > > execute anything used in the mmap operation, the whole mmap operation > > will just fail when this flag is set on a noexec filesystem. > > How stupid. Can I at least put nosuid there? And put nosuid to /dev/shm > as well?
I think that might be good. I don't see reason to store suid stuff in /tmp, /dev and /dev/shm. Out of these, /dev/shm and /tmp are the most important ones that should be nosuid.
