On Wed, 27 Sep 2017, Theodore Wynnychenko wrote: ... > Thank you for the information. I removed the “noexec” flag from fstab > and the error has disappeared. > > But, I am also surprised by the requirement that /tmp _not_ be mounted > noexec for this to function correctly. I recall reading that it was > best to mount filesystems with the most restrictive settings possible > for that specific filesystem, and that /tmp should be mounted with > (essentially) nothing set (ie: nodev, nosuid, noexec). > > Am I incorrect or has something changed in this regard? > > It seems to me that, as a general rule, making /tmp noexec is a good > thing from a security standpoint; but I admit that I don’t know enough > about this to be sure. > > Anyway, I just added a line to rc.local to remount temp as noexec at the > end of the boot so that rc would work without errors and that /tmp is > noexec once the system is up.
To quote a co-worker: "What problem are you trying to solve?" Or, in this case: What attack/threat vector are you trying to block? What on your system is running with (a) ability to exec (think pledge(2)), *and* (b) access to /tmp but *without* write access to other directories (like $HOME) that aren't mounted noexec? If the answer is "nothing", then marking /tmp as noexec is only annoying you. Philip Guenther
