On Mon, 17.03.14 19:04, Leonid Isaev (lis...@umail.iu.edu) wrote: > Hi, > > Currently, XDG_RUNTIME_DIR=/run/user/<UID> is mounted with rather > permissive, hardcoded mount options (or at least I couldn't find a documented > way of changing them). Specifically, a user is allowed to execute things from > his $XDG_RUNTIME_DIR. This effectively negates admin's ability to constrain > users, e.g. by mounting /home as noexec (I have seen this done in some > environments). > Is there a need to allow execution from $XDG_RUNTIME_DIR? And how > should one configure its mount options?
Yes, this is hardcoded in 211, that's true. We could make this configurable but I am not really convinced that we really want that? I mean, the XDG_RUNTIME_DIR spec says the dir "must be fully-featured by the standards of the operating system. More specifically, ... proper permissions ... must be supported". I'd read that as if the x bit should do what it is supposed to do. So, in order to stay compatible with the spec allowing to mount it with noexec sounds undesirable. Moreover "noexec" is mostly snake-oil, isn't it? You can invoke the executables with an interpreter still, and you can copy the files elsewhere... Note that setting "noexec" on an fs means you cannot maps its files PROT_EXEC anymore, which breaks a number of things. In the past people attempted to mount /dev/shm as noexec, and dosemu broke because it made use of this. Then people wanted to mount /dev as noexec, which broke X11 which wanted to map some device nodes PROT_EXEC. Given that we consider XDG_RUNTIME_DIR as a private version of /dev/shm among other things it really sounds wrong to break this right from the start. So, I am not really convinced I must say... Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
