Bug#826377: systemd: tmp.mount sets up too lax options

Martin Pitt mpitt at debian.org
Wed Jun 22 10:58:46 BST 2016


Control: forwarded -1 https://github.com/systemd/systemd/pull/3575
Control: tag -1 upstream confirmed patch

Hey Gabriel,

Gabriel Filion [2016-06-04 23:51 -0400]:
> When using /etc/default/tmpfs on wheezy, if you enabled RAMTMP, the tmpfs would
> get created with options nodev,nosuid. However, using the systemd-provided unit
> does not set those options. So the default way to enable a tmpfs for /tmp is
> now more lax and permits intruders to create devices and possibly suid-set
> executables.

Thanks for pointing this out! I agree that this would be a much better
default, and I only see this breaking corner cases (and then the admin
can still tweak the options by just using /etc/fstab or a
tmp.mount.d/*.conf).

I sent an upstream PR for this.

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/attachments/20160622/a7520e22/attachment.sig>


More information about the Pkg-systemd-maintainers mailing list