Re: [arch-dev-public] [arch-general] [initscripts] Please revert last commit 757f653
On Sun, 2009-08-23 at 19:06 -0300, Gerardo Exequiel Pozzi wrote:
Hi
Please revert the last commit[#1], mounting /dev as NOEXEC is incorrect. This break nvidia GLX extension, vmware, mplayer and possible others programs that uses mmap() with execute privilege.
PS: I guess that setting a size is "redundant"
Thanks.
[#1] http://projects.archlinux.org/?p=initscripts.git;a=commitdiff;h=757f653b8c9b...
Setting size is not redundant, as without it, tmpfs allows to allocate 1GB by default. Though tmpfs is a dynamic filesystem that only uses memory that is in use on tmpfs, I don't think it makes sense to allow more than 10MB here. Other distributions limit the size of tmpfs also. CC'ing this to the arch-dev-public list, as our bugtracker is down.
Jan de Groot schrieb:
On Sun, 2009-08-23 at 19:06 -0300, Gerardo Exequiel Pozzi wrote:
Hi
Please revert the last commit[#1], mounting /dev as NOEXEC is incorrect. This break nvidia GLX extension, vmware, mplayer and possible others programs that uses mmap() with execute privilege.
PS: I guess that setting a size is "redundant"
I already asked Gerardo in private: Can anyone provide any reference as to why noexec will prevent programs from working?
On Mon, 2009-08-24 at 01:25 +0200, Thomas Bächler wrote:
Jan de Groot schrieb:
On Sun, 2009-08-23 at 19:06 -0300, Gerardo Exequiel Pozzi wrote:
Hi
Please revert the last commit[#1], mounting /dev as NOEXEC is incorrect. This break nvidia GLX extension, vmware, mplayer and possible others programs that uses mmap() with execute privilege.
PS: I guess that setting a size is "redundant"
I already asked Gerardo in private: Can anyone provide any reference as to why noexec will prevent programs from working?
Some applications like the ones mentioned in the original post will mmap files in /dev/ with the PROT_EXEC flag. When the filesystem is mounted as noexec, these mmap operations will fail. Even if the program doesn't execute anything used in the mmap operation, the whole mmap operation will just fail when this flag is set on a noexec filesystem.
Jan de Groot schrieb:
Some applications like the ones mentioned in the original post will mmap files in /dev/ with the PROT_EXEC flag. When the filesystem is mounted as noexec, these mmap operations will fail. Even if the program doesn't execute anything used in the mmap operation, the whole mmap operation will just fail when this flag is set on a noexec filesystem.
How stupid. Can I at least put nosuid there? And put nosuid to /dev/shm as well?
On Mon, 2009-08-24 at 09:20 +0200, Thomas Bächler wrote:
Jan de Groot schrieb:
Some applications like the ones mentioned in the original post will mmap files in /dev/ with the PROT_EXEC flag. When the filesystem is mounted as noexec, these mmap operations will fail. Even if the program doesn't execute anything used in the mmap operation, the whole mmap operation will just fail when this flag is set on a noexec filesystem.
How stupid. Can I at least put nosuid there? And put nosuid to /dev/shm as well?
I think that might be good. I don't see reason to store suid stuff in /tmp, /dev and /dev/shm. Out of these, /dev/shm and /tmp are the most important ones that should be nosuid.
Jan de Groot schrieb:
How stupid. Can I at least put nosuid there? And put nosuid to /dev/shm as well?
I think that might be good. I don't see reason to store suid stuff in /tmp, /dev and /dev/shm. Out of these, /dev/shm and /tmp are the most important ones that should be nosuid.
/dev/shm is in fstab, as is /tmp (providing it is on a separate partition), so we can only change defaults here.
participants (2)
-
Jan de Groot
-
Thomas Bächler