On 2020-10-02 22:35 +0300, Valter Jaakkola wrote:
> I an effort to increase security one of the things I'm trying to do is to have
> no world-writable directories where anything (well, binaries at least) could
> be
> executed from. I use Debian Linux 10 amd64. (I'm a home user.)
>
> When I run `sudo find / -type d -perm -2` and remove from the listing the
> directories which are on noexec-mounted partitions, just /dev/shm and
> /dev/mqueue are left (and some docker directories in /var/lib/docker/overlay2,
> to which I can't write as a normal user).
There are a few other directories where users can typically write to
and execute binaries, though: /tmp, /var/tmp, $HOME, /run/user/$USER.
> The problem for me is mounting /dev/shm noexec -- I can't find where to do
> it. I
> couldn't find a lot of information about this on the internet. The few sources
> mostly only suggest adding it to fstab, but I'm hesitant about this as it
> isn't
> there already. I'd rather change the settings at the source, where it's
> mounted
> in the first place.
>
> I also ran `grep -rwlsI -e shm` through /etc and /usr/share but didn't find
> anything that would've looked like the mounting of /dev/shm, or where
> parameters
> for it could have been changed.
>
> So where can I change the mounting parameters of /dev/shm, or otherwise
> arrange
> it so that /dev/shm is noexec already at/after boot?
In /etc/fstab. :-)
> (Out of curiosity, where is /dev/shm mounted from?)
It's mounted by systemd, the list of core systems it mounts is hardcoded
in the source[1]. Filesystems that appear in /etc/fstab are remounted
with the options given there (for the gory details see
systemd-fstab-generator(8) and systemd.mount(5)).
Cheers,
Sven
1.
https://sources.debian.org/src/systemd/241-7~deb10u4/src/core/mount-setup.c/#L61
