[systemd-devel] Antw: [EXT] Re: Creating executable device nodes in /dev?
Jarkko Sakkinen
jarkko at kernel.org
Fri Dec 11 10:40:50 UTC 2020
On Wed, Dec 09, 2020 at 08:58:52AM +0100, Ulrich Windl wrote:
> >>> Jarkko Sakkinen <jarkko at kernel.org> schrieb am 09.12.2020 um 01:15 in Nachricht
> <20201209001521.GA64007 at kernel.org>:
>
> ...
> >
> > What's the data that supports having noexec /dev anyway? With root
> > access I can then just use something else like /dev/shm mount.
> >
> > Has there been out in the wild real world cases that noexec mount
> > of would have prevented?
> >
> > For me this sounds a lot just something that "feels more secure"
> > without any measurable benefit. Can you prove me wrong?
>
> I think the better question is: Why not allow it? I.e.: Why do you want to forbid it?
>
> Event though I wouldn't like it myself, I could even think of noexec /tmp.
On an instance of an OS you should limit whatever is appropriate for
your use case. The debate is about sane defaults.
My argument is essentially that noexec /dev is not a sane default.
For anyone to who this makes sense, does such thing anyway. For
others, noexec /dev is only artificially useful.
> Regards,
> Ulrich
/Jarkko
More information about the systemd-devel
mailing list