[Pkg-sysvinit-devel] Bug#386368: initscripts: please don't mount
/dev/shm noexec
Mario 'BitKoenig' Holbe
Mario.Holbe at TU-Ilmenau.DE
Thu Sep 7 07:50:21 UTC 2006
Package: initscripts
Version: 2.86.ds1-16
Hello,
could you please consider removal of the noexec flag from the /dev/shm
mount... Mounting it noexec breaks bind-mounts to /tmp on Debian systems
because dpkg runs files from /tmp (for preconfiguration).
Bind-mounting /dev/shm to /tmp instead of creating a new tmpfs for /tmp
is far more safe regarding memory-DoS attacks. That's why I think this
is not that uncommon.
Btw... mounting /dev/shm noexec doesn't really improve system security
since it's just one of many temp-locations where users have write-access
(and exec-permission) to (besides /tmp, /var/tmp, /var/lock, etc.) - and
yet the least persistent one :)
Here are my fstab entries for virtual filesystems which work quite well
for months now, just in case it helps you (you don't yet restrict
/dev/pts for example)...
sysfs /sys sysfs nosuid,nodev,noexec 0 0
proc /proc proc nosuid,nodev,noexec 0 0
usbfs /proc/bus/usb usbfs nosuid,nodev,noexec 0 0
devpts /dev/pts devpts nosuid,noexec 0 0
tmpfs /dev/shm tmpfs nosuid,nodev 0 0
...
/dev/shm /tmp none bind 0 0
Thanks for your work & regards
Mario
--
I heard, if you play a NT-CD backwards, you get satanic messages...
That's nothing. If you play it forwards, it installs NT.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-sysvinit-devel/attachments/20060907/e7dc0548/attachment.pgp
More information about the Pkg-sysvinit-devel
mailing list