I'm using Ubuntu 22.04.1 LTS.
Currently /run
is mounted as a tmpfs
without noexec
:
mount | grep '/run '
tmpfs on /run type tmpfs (rw,nosuid,nodev,size=...,nr_inodes=...,mode=755,inode64)
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy
uname -a
Linux example.com 5.15.0-1020-aws #24-Ubuntu SMP Thu Sep 1 16:04:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
I assume it's setup via systemd
, as a API File System? But I'm not sure how/where it's configured.
There is no entry in /etc/fstab
.
The servers I administer that use Ubuntu 20.04.5 LTS already have noexec
on /run
. I don't remember doing this manually, so I wonder if this might be a change in Ubuntu 22.04.1 LTS?
As to why... I've got a script to check every folder writable by the www-data
user is on a noexec
mount. The theory being, if any of the hosted websites have a security vulnerability that allows an attacker to create a file on the disk in an arbitrary location (e.g. /run/lock/apache2/), then at least noexec
might provide some protection (I know it does not stop an interpreter from executing).