On Wed, Dec 09, 2020 at 08:58:52AM +0100, Ulrich Windl wrote: > >>> Jarkko Sakkinen <jar...@kernel.org> schrieb am 09.12.2020 um 01:15 in > >>> Nachricht > <20201209001521.ga64...@kernel.org>: > > ... > > > > What's the data that supports having noexec /dev anyway? With root > > access I can then just use something else like /dev/shm mount. > > > > Has there been out in the wild real world cases that noexec mount > > of would have prevented? > > > > For me this sounds a lot just something that "feels more secure" > > without any measurable benefit. Can you prove me wrong? > > I think the better question is: Why not allow it? I.e.: Why do you want to > forbid it? > > Event though I wouldn't like it myself, I could even think of noexec /tmp.
On an instance of an OS you should limit whatever is appropriate for your use case. The debate is about sane defaults. My argument is essentially that noexec /dev is not a sane default. For anyone to who this makes sense, does such thing anyway. For others, noexec /dev is only artificially useful. > Regards, > Ulrich /Jarkko _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
