[systemd-devel] Any reason why /run and /dev/shm do not have MS_NOEXEC flags set?

Hoyer, Marko (ADITG/SW2) mhoyer at de.adit-jv.com
Wed Feb 1 13:13:21 UTC 2017


Hi,

thanks to all for your fast feedback. I'll kick off an internal discussion based on the facts you delivered to find out if our people actually want what they want ;)

Best regards

Marko Hoyer
Software Group II (ADITG/SW2)

Tel. +49 5121 49 6948
-----Original Message-----
From: systemd-devel [mailto:systemd-devel-bounces at lists.freedesktop.org] On Behalf Of Reindl Harald
Sent: Mittwoch, 1. Februar 2017 11:55
To: systemd-devel at lists.freedesktop.org
Subject: Re: [systemd-devel] Any reason why /run and /dev/shm do not have MS_NOEXEC flags set?



Am 01.02.2017 um 11:02 schrieb Hoyer, Marko (ADITG/SW2):
> a tiny question:
>
> - Is there any reason why the mount points /run and /dev/shm do not 
> have MS_NOEXEC flags set?
>
> We like to remove execution capabilities from all volatile areas that 
> are writeable to users for security reasons

it's all not that easy - see
https://bugzilla.redhat.com/show_bug.cgi?id=1398474 and
https://bugs.exim.org/show_bug.cgi?id=1749 and i am pretty sure other pieces would break on case of noexec SHM (yes i know that these bugreports are not about SHM, they are just a example)


_______________________________________________
systemd-devel mailing list
systemd-devel at lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel


More information about the systemd-devel mailing list