Announcement

Collapse
No announcement yet.

/dev/shm not mounted noexec

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • /dev/shm not mounted noexec

    Is there a reason /dev/shm isnt mounted noexec by /etc/cagefs/cagefs.mp?

    The user is in CageFS, though:

    22720 *username obfuscated*  20   0 2451856  58620   1104 S 100.3  0.1   0:19.28 md

    [root@*host obfuscated* ~]# crontab -l -u *username obfuscated*
    * * * * * /dev/shm/.z/upd >/dev/null 2>&1

    [root@*host obfuscated* ~]# ls -al /dev/shm/.z
    total 4164
    drwxr-xr-x 2 *username obfuscated* *username obfuscated*    260 Dec  6 19:27 .
    drwxrwxrwt 3 root     root          60 Dec  6 19:27 ..
    -rwxr-xr-x 1 *username obfuscated* *username obfuscated*     329 Dec  6 16:58 a
    -rw-r--r-- 1 *username obfuscated* *username obfuscated*       6 Dec  7 07:26 bash.pid
    -rw-r--r-- 1 *username obfuscated* *username obfuscated*      42 Dec  6 19:27 cron.d
    -rw-r--r-- 1 *username obfuscated* *username obfuscated*      12 Dec  6 19:27 dir.dir
    -rwxr-xr-x 1 *username obfuscated* *username obfuscated*   15125 Dec  6 16:58 h32
    -rwxr-xr-x 1 *username obfuscated* *username obfuscated*  838583 Dec  6 16:58 h64
    -rwxr-xr-x 1 *username obfuscated* *username obfuscated* 2979640 Dec  6 16:58 md
    -rwxr-xr-x 1 *username obfuscated* *username obfuscated*  227220 Dec  6 16:58 md32
    -rwxr-xr-x 1 *username obfuscated* *username obfuscated*  168896 Dec  6 16:58 mdx
    -rwxr-xr-x 1 *username obfuscated* *username obfuscated*     564 Dec  6 19:02 run
    -rwxr--r-- 1 *username obfuscated* *username obfuscated*     182 Dec  6 19:27 upd

  • #2
    Hello,

    In my test environment /dev/shm is not mounted with noexec as well:

    # mount |grep shm
    tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
    tmpfs on /usr/share/cagefs-skeleton/dev/shm type tmpfs (rw,nosuid,relatime)

    Did you try to mount /dev/shm in the real file system with noexec first?

    Comment


    • #3
      Is there anything in the CL internals that would be negatively affected if we mounted it noexec in /etc/cagefs/cagefs.mp? I guess not, just wanted to make sure?

      Comment


      • #4
        Hello,

        There should be no side effects.

        Comment

        Working...
        X