[systemd-devel] Mount options of /var/run/users/<pid>

[Павел Самсонов]

If I have multiuser Linux installation with shell and DE access, my users
have not places in system, where they able download something from internet
and execute:
/ ro,exec
/home rw,noexec
/var rw,noexec
All tmpfs noexec
In Debian wheezy this done and work.
In Debian jessie I have places (/run/users/*), where users may execute
dowloaded executables. What I must do with this?
Sorry my english.
16.02.2015 14:10 пользователь "Lennart Poettering" <lennart at poettering.net>
написал:

> B1;3802;0cOn Sun, 15.02.15 16:31, Павел Самсонов (pvsamsonov76 at gmail.com)
> wrote:
>
> > Good day, I see a new Debian jessie, and I mean, that /var/run/<pid>
> > filesystems must be mounted with noexec options, so thay have user write
> > access. On some installations this very important. Were I may configure
> > this, or may be You change your default mount options?
> > Sorry my English, best regards, Pavel, Russia.
>
> I cannot parse this. Do you mean /run/user/<uid>? /var/run/<pid> is
> not a separate mount, /run is, and that is not user writable.
>
> The /run/user/<uid> directory is mounted to implement
> XDG_RUNTIME_DIR. We guarantee certain functionality on it, including
> the ability to have executable files there, and that's specified in
> the XDG_RUNTIME_DIR spec.
>
> Hence, the only way to change it is by patching logind, and we will
> not add a configuration option for this, since it would mean
> XDG_RUNTIME_DIR would not provide what it's supposed to provide
> anymore.
>
> Note though that /run/user/<uid> is mounted as per-user tmpfs
> instance, with nosuid and nodev, and a size limit applied. It should
> hence be a pretty safe thing.
>
> Also note that "noexec" doesn't really do what people think it does.
>
> Lennart
>
> --
> Lennart Poettering, Red Hat
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150216/2315884e/attachment.html>