Mounting /dev/shm noexec
Hi,
I an effort to increase security one of the things I'm trying to do is to have
no world-writable directories where anything (well, binaries at least) could be
executed from. I use Debian Linux 10 amd64. (I'm a home user.)
When I run `sudo find / -type d -perm -2` and remove from the listing the
directories which are on noexec-mounted partitions, just /dev/shm and
/dev/mqueue are left (and some docker directories in /var/lib/docker/overlay2,
to which I can't write as a normal user).
I assume that /dev/mqueue being exec-mounted doesn't have the same risks as
/dev/shm, as mqueue is not(?) an ordinary filesystem where one could save files
and execute them, right? (Or so it appears to me after some experimentation and
reading.)
The problem for me is mounting /dev/shm noexec -- I can't find where to do it. I
couldn't find a lot of information about this on the internet. The few sources
mostly only suggest adding it to fstab, but I'm hesitant about this as it isn't
there already. I'd rather change the settings at the source, where it's mounted
in the first place.
I also ran `grep -rwlsI -e shm` through /etc and /usr/share but didn't find
anything that would've looked like the mounting of /dev/shm, or where parameters
for it could have been changed.
So where can I change the mounting parameters of /dev/shm, or otherwise arrange
it so that /dev/shm is noexec already at/after boot?
(Out of curiosity, where is /dev/shm mounted from?)
(Additional suggestions regarding security are most welcome, too.)
Kind regards,
Valter Jaakkola
Reply to: