Sunday, May 5, 2024
Homepage · mount
 Popular · Latest · Hot · Upcoming
2
rated 0 times [  2] [ 0]  / answers: 1 / hits: 594  / 2 Years ago, sun, april 17, 2022, 6:09:37

I'm using Ubuntu 22.04.1 LTS.


Currently /run is mounted as a tmpfs without noexec:


mount | grep '/run '

  tmpfs on /run type tmpfs (rw,nosuid,nodev,size=...,nr_inodes=...,mode=755,inode64)



lsb_release -a

  No LSB modules are available.

  Distributor ID: Ubuntu

  Description:    Ubuntu 22.04.1 LTS

  Release:        22.04

  Codename:       jammy



uname -a

  Linux example.com 5.15.0-1020-aws #24-Ubuntu SMP Thu Sep 1 16:04:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

I assume it's setup via systemd, as a API File System? But I'm not sure how/where it's configured.


There is no entry in /etc/fstab.


The servers I administer that use Ubuntu 20.04.5 LTS already have noexec on /run. I don't remember doing this manually, so I wonder if this might be a change in Ubuntu 22.04.1 LTS?



As to why... I've got a script to check every folder writable by the www-data user is on a noexec mount. The theory being, if any of the hosted websites have a security vulnerability that allows an attacker to create a file on the disk in an arbitrary location (e.g. /run/lock/apache2/), then at least noexec might provide some protection (I know it does not stop an interpreter from executing).


More From » mount
 Answers
2

update


A bug report for the systemd package in Ubuntu has been reported based on this question. The difference in mount options when boot initrdless is seen as a possible regression.


original


The /run mount is typically created by the initramfs-tools init script inside of the initramfs. This is before things like systemd run. The /run mount persists after the initramfs pivots to the real root filesystem.


The mount command in initramfs-tools includes the noexec mount option.


mount -t tmpfs -o "nodev,noexec,nosuid,size=${RUNSIZE:-10%},mode=0755" tmpfs /run

If you need to modify the mount arguments used by initramfs-tools then you can edit the init script locally at /usr/share/initramfs-tools/init and rebuild the initramfs with the command


update-initramfs -c -k $(uname -r)

You are launching an Ubuntu VM in AWS. When Ubuntu boots in AWS it does so initrdless, and does not use the initramfs. When the kernel boots initrdless the initramfs-tools script does not run. Instead, the /run mount (and others) are created by systemd as defined in this mount table entry and these mount options. The mount options do not appear to be customizable. The resulting equivalent mount command is


mount -t tmpfs -o "nodev,nosuid,strictatime,size=20%,nr_inodes=800k,mode=0755" tmpfs /run

Based on comment 21 in this bug these commands update the AWS VM so it will boot with the initramfs instead of booting initrdless.


mv /etc/default/grub.d/40-force-partuuid.cfg{,.bak}

update-grub

That same comments provides this insight on why the AWS VM boots initrdless.



we provide custom kernels for our cloud partners which have all the
drivers needed to boot built in, loading an initrd is a waste of time
at boot



The /run/lock mount mentioned in the other answer is always created by systemd. This is because of a Debian/Ubuntu specific patch to systemd that defines the mount for "historic reasons". The mount options do not seem to be configurable either.


[#221] Tuesday, April 19, 2022, 2 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
mentpengu
Add To Favorites
Follow
Total Points: 148
Total Questions: 114
Total Answers: 119
Location: Anguilla
Member since Sun, Aug 7, 2022
2 Years ago
mentpengu questions
Sat, Apr 30, 22, 09:14, 2 Years ago
Tue, Dec 20, 22, 04:48, 1 Year ago
Fri, Aug 12, 22, 01:35, 2 Years ago
Tue, Jul 26, 22, 14:52, 2 Years ago
Wed, Jun 30, 21, 02:28, 3 Years ago
View All
;