On Tue, Dec 14, 2010 at 02:25:38PM +0000, Richard W.M. Jones wrote: > On Tue, Dec 14, 2010 at 02:24:53PM +0100, Tomasz Torcz wrote: > > We saw it includes /dev, /dev/shm etc. Is there any *reasonable* need > > to mount sysfs somewhere else than /sys. Or /dev with mode other than 755? > > Those all directories are mounted _identically_ on every Linux distribution > > down here. Why pollute fstab with repeated lines on million machines? > > The issue here isn't that the reporter wanted to mount them somewhere > else, but he wanted to set the default mount options to something else > (or in fact to set them back to how they are now -- systemd has > decided to use some other mount options entirely without consulting > anyone else). > > I think it's very reasonable to want to edit /etc/fstab to change the > default mount options of these filesystems. Suppose that /dev/shm > defaults to allowing suid and exec. At some point in the future a > security problem is found which can be worked around by temporarily > setting nosuid on /dev/shm (while the real issue is fixed). An > administrator can't do that without recompiling systemd. Of course administrator can temporary override: mount /dev/shm -o remount, nosuid Or even have it stick after reboot, by droping in /etc/systemd/system/ following unit definitionÂ: -- [Unit] Description=Temporary workaround for CVE-x DefaultDependencies=false WantedBy=local-fs.target [Service] ExecStart=/bin/mount /dev/shm -o remount, nosuid Type=oneshot -- While I agree that hidden mounts are bad idea, they're still visible in "systemctl -t mount" and "findmnt" output. Â created ad-hoc to show idea, not tested -- Tomasz Torcz RIP is irrevelant. Spoofing is futile. xmpp: zdzichubg@xxxxxxxxx Your routes will be aggreggated. -- Alex Yuriev -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
