[Discussion] disk mounted with noexec - is it useful?

[openoms]

The disk is currently mounted with noexec in the /etc/fstab so nothing on it can be executed.

For now we need to store any extensions (#2404) and C-lightning plugins on the SDcard and redownload them after SDcard changes unless this changes.

noexec is applied in the RaspiBolt guide (https://stadicus.github.io/RaspiBolt/raspibolt_20_pi.html#format-external-drive-and-mount), but does it have a real security benefit?

[m00ninite]

fwiw, the noexec mount has screwed me up multiple times, aside from that extensions PR. I'd also love to know if there's a security benefit.

[xanoni]

I'm not 100% sure if this is best practice, but why not just do 'mount -oremount,exec /xyz', execute the commands, and then lock it up again with'-oremount,noexec'?

AFAIK this works fine even for a hot system ... but maybe I just always got lucky ;-)

[xanoni]

Just confirmed and this works fine on my machine:

$ mount |grep disk01
/dev/mapper/cdisk01 on /mnt/disk01 type ext4 (rw,nodev,noexec,noatime,discard)
$ sudo mount -oremount,exec /mnt/disk01/
$ mount |grep disk01
/dev/mapper/cdisk01 on /mnt/disk01 type ext4 (rw,nodev,noatime,discard)
$ sudo mount -oremount,noexec /mnt/disk01/
$ mount |grep disk01
/dev/mapper/cdisk01 on /mnt/disk01 type ext4 (rw,nodev,noexec,noatime,discard)

[openoms]

As discussed with rootzoll the noexec on the disk / storage partition is useful because it limits the ability of any potential malware on the disk.
The c-lightning plugins will be executed from the SDcard and as seen with CLBOSS their data is typically stored in the .lightning directory (in /mnt/hdd/app-data/) or in the lightningd.sqlite3 itself.
Closing this as noexec stays.