If I have multiuser Linux installation with shell and DE access, my users have not places in system, where they able download something from internet and execute: / ro,exec /home rw,noexec /var rw,noexec All tmpfs noexec In Debian wheezy this done and work. In Debian jessie I have places (/run/users/*), where users may execute dowloaded executables. What I must do with this? Sorry my english. 16.02.2015 14:10 пользователь "Lennart Poettering" <[email protected]> написал:
> B1;3802;0cOn Sun, 15.02.15 16:31, Павел Самсонов ([email protected]) > wrote: > > > Good day, I see a new Debian jessie, and I mean, that /var/run/<pid> > > filesystems must be mounted with noexec options, so thay have user write > > access. On some installations this very important. Were I may configure > > this, or may be You change your default mount options? > > Sorry my English, best regards, Pavel, Russia. > > I cannot parse this. Do you mean /run/user/<uid>? /var/run/<pid> is > not a separate mount, /run is, and that is not user writable. > > The /run/user/<uid> directory is mounted to implement > XDG_RUNTIME_DIR. We guarantee certain functionality on it, including > the ability to have executable files there, and that's specified in > the XDG_RUNTIME_DIR spec. > > Hence, the only way to change it is by patching logind, and we will > not add a configuration option for this, since it would mean > XDG_RUNTIME_DIR would not provide what it's supposed to provide > anymore. > > Note though that /run/user/<uid> is mounted as per-user tmpfs > instance, with nosuid and nodev, and a size limit applied. It should > hence be a pretty safe thing. > > Also note that "noexec" doesn't really do what people think it does. > > Lennart > > -- > Lennart Poettering, Red Hat >
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
