Bug#826377: systemd: tmp.mount sets up too lax options
Martin Pitt
mpitt at debian.org
Wed Jun 22 10:58:46 BST 2016
Control: forwarded -1 https://github.com/systemd/systemd/pull/3575
Control: tag -1 upstream confirmed patch
Hey Gabriel,
Gabriel Filion [2016-06-04 23:51 -0400]:
> When using /etc/default/tmpfs on wheezy, if you enabled RAMTMP, the tmpfs would
> get created with options nodev,nosuid. However, using the systemd-provided unit
> does not set those options. So the default way to enable a tmpfs for /tmp is
> now more lax and permits intruders to create devices and possibly suid-set
> executables.
Thanks for pointing this out! I agree that this would be a much better
default, and I only see this breaking corner cases (and then the admin
can still tweak the options by just using /etc/fstab or a
tmp.mount.d/*.conf).
I sent an upstream PR for this.
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/attachments/20160622/a7520e22/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list