[systemd-devel] Mount options for $XDG_RUNTIME_DIR

Lennart Poettering lennart at poettering.net
Mon Mar 17 18:33:50 PDT 2014


On Mon, 17.03.14 19:04, Leonid Isaev (lisaev at umail.iu.edu) wrote:

> Hi,
> 
> 	Currently, XDG_RUNTIME_DIR=/run/user/<UID> is mounted with rather
> permissive, hardcoded mount options (or at least I couldn't find a documented
> way of changing them). Specifically, a user is allowed to execute things from
> his $XDG_RUNTIME_DIR. This effectively negates admin's ability to constrain
> users, e.g. by mounting /home as noexec (I have seen this done in some
> environments).
> 	Is there a need to allow execution from $XDG_RUNTIME_DIR? And how
> should one configure its mount options?

Yes, this is hardcoded in 211, that's true. We could make this
configurable but I am not really convinced that we really want that?

I mean, the XDG_RUNTIME_DIR spec says the dir "must be fully-featured by
the standards of the operating system. More specifically, ... proper
permissions ... must be supported". I'd read that as if the x bit should
do what it is supposed to do. So, in order to stay compatible with the
spec allowing to mount it with noexec sounds undesirable.

Moreover "noexec" is mostly snake-oil, isn't it? You can invoke the
executables with an interpreter still, and you can copy the files
elsewhere... 

Note that setting "noexec" on an fs means you cannot maps its files
PROT_EXEC anymore, which breaks a number of things. In the past people
attempted to mount /dev/shm as noexec, and dosemu broke because it made
use of this. Then people wanted to mount /dev as noexec, which broke X11
which wanted to map some device nodes PROT_EXEC. Given that we consider
XDG_RUNTIME_DIR as a private version of /dev/shm among other things it
really sounds wrong to break this right from the start.

So, I am not really convinced I must say...

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list