cryptsetup, mount /tmp noexec, a no go

Since this thread is too old to resurrect, I have to make a new one.

I said that I had yet to find a scenario where mounting /tmp as noexec gives any real problems, but I found one today.

If you're mounting /tmp as noexec, cryptsetup won't install properly. It needs to run some perl scripts from there. This was on Mint Maya and cryptsetup 1.4.1.

 

And why would you wanna do that? /tmp as noexec?
Mrk

 

Hi awkwardpenguin,

To follow up on Mrk's comment, to my knowledge /tmp from Unix (circa 1970) and on into Linux (circa 1991) has been used for the purpose of assisting programs to perform their function, including executing code from /tmp which you have discovered.

In my experience, it is best not to upset the applecart of architectural decisions made by the original designers of either Unix or Linux.

OTOH, you could send email to Linus Torvalds and ask his opinion - uh, or not! I don't think he would favor a noexec /tmp with the goal of just hardening it for some paranoid reason, since doing so can be guaranteed to break something in the system at some time or another, i.e. there are probably too many dependencies to list on /tmp being executable in each system (Unix and Linux).

-- Tom

 

Mounting /tmp as noexec is very often mentioned in the general 'securing linux' sorta guides. The premise is to protect against low skill automated scripts. How applicable is that to real life in 2013? My impression is that it's not by much but that's ultimately up to the individual.

I'm not arguing for or against, I'm just following up what I said in the other thread.