cryptsetup, mount /tmp noexec, a no go

Discussion in 'all things UNIX' started by shuverisan, Sep 9, 2013.

Thread Status:
Not open for further replies.
  1. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    Since this thread is too old to resurrect, I have to make a new one.

    I said that I had yet to find a scenario where mounting /tmp as noexec gives any real problems, but I found one today.

    If you're mounting /tmp as noexec, cryptsetup won't install properly. It needs to run some perl scripts from there. This was on Mint Maya and cryptsetup 1.4.1.
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,693
    And why would you wanna do that? /tmp as noexec?
    Mrk
     
  3. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,088
    Hi awkwardpenguin,

    To follow up on Mrk's comment, to my knowledge /tmp from Unix (circa 1970) and on into Linux (circa 1991) has been used for the purpose of assisting programs to perform their function, including executing code from /tmp which you have discovered.

    In my experience, it is best not to upset the applecart of architectural decisions made by the original designers of either Unix or Linux.

    OTOH, you could send email to Linus Torvalds and ask his opinion - uh, or not! I don't think he would favor a noexec /tmp with the goal of just hardening it for some paranoid reason, since doing so can be guaranteed to break something in the system at some time or another, i.e. there are probably too many dependencies to list on /tmp being executable in each system (Unix and Linux).

    -- Tom
     
  4. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    Mounting /tmp as noexec is very often mentioned in the general 'securing linux' sorta guides. The premise is to protect against low skill automated scripts. How applicable is that to real life in 2013? My impression is that it's not by much but that's ultimately up to the individual.

    I'm not arguing for or against, I'm just following up what I said in the other thread.
     
Loading...
Thread Status:
Not open for further replies.