From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Various mount options have changed in Core Update 169 Date: Mon, 20 Jun 2022 20:34:15 +0000 Message-ID: <8b05614d-bf3f-df6d-1157-b4d21235329f@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6174351766643846103==" List-Id: --===============6174351766643846103== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello *, while pre-testing Core Update 169, it came to my attention that, for some rea= son, various mount options have changed since Core Update 168, lacking options suc= h as "nodev", "noexec", "nosuid", which means a security downgrade. The complete delta is as follows: $ diff -Naur before after --- before 2022-06-20 20:04:32.436632074 +0000 +++ after 2022-06-20 20:04:34.500401575 +0000 @@ -1,12 +1,12 @@ -devpts on /dev/pts type devpts (rw,relatime,gid=3D5,mode=3D620,ptmxmode=3D00= 0) +devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=3D5,mode=3D620= ,ptmxmode=3D000) /dev/sda1 on /boot type ext4 (rw,relatime) /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=3D0022,dmask=3D0022,code= page=3D437,iocharset=3Dascii,shortname=3Dmixed,errors=3Dremount-ro) /dev/sda4 on / type ext4 (rw,relatime) -devtmpfs on /dev type devtmpfs (rw,relatime,size=3D1963708k,nr_inodes=3D4909= 27,mode=3D755) +devtmpfs on /dev type devtmpfs (rw,nosuid,noexec,size=3D1949992k,nr_inodes= =3D487498,mode=3D755) efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,relatime) none on /sys/fs/cgroup type cgroup2 (rw,relatime) -/proc on /proc type proc (rw,relatime) -/run on /run type tmpfs (rw,nosuid,nodev,relatime,size=3D8192k,mode=3D755) -/sys on /sys type sysfs (rw,relatime) -tmpfs on /dev/shm type tmpfs (rw,relatime) +proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) +sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) +tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec) +tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,mode=3D755) /var/lock on /var/lock type tmpfs (rw,nosuid,nodev,relatime,size=3D8192k) I cannot recall of having this explicitly changed anywhere, and don't underst= and the root cause for this (unwanted) change. Could somebody please point me int= o the right direction? :-) Thanks in advance, and best regards, Peter M=C3=BCller --===============6174351766643846103==--