Hi, I an effort to increase security one of the things I'm trying to do is to have no world-writable directories where anything (well, binaries at least) could be executed from. I use Debian Linux 10 amd64. (I'm a home user.)
When I run `sudo find / -type d -perm -2` and remove from the listing the directories which are on noexec-mounted partitions, just /dev/shm and /dev/mqueue are left (and some docker directories in /var/lib/docker/overlay2, to which I can't write as a normal user). I assume that /dev/mqueue being exec-mounted doesn't have the same risks as /dev/shm, as mqueue is not(?) an ordinary filesystem where one could save files and execute them, right? (Or so it appears to me after some experimentation and reading.) The problem for me is mounting /dev/shm noexec -- I can't find where to do it. I couldn't find a lot of information about this on the internet. The few sources mostly only suggest adding it to fstab, but I'm hesitant about this as it isn't there already. I'd rather change the settings at the source, where it's mounted in the first place. I also ran `grep -rwlsI -e shm` through /etc and /usr/share but didn't find anything that would've looked like the mounting of /dev/shm, or where parameters for it could have been changed. So where can I change the mounting parameters of /dev/shm, or otherwise arrange it so that /dev/shm is noexec already at/after boot? (Out of curiosity, where is /dev/shm mounted from?) (Additional suggestions regarding security are most welcome, too.) Kind regards, Valter Jaakkola