-
Notifications
You must be signed in to change notification settings - Fork 516
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Discussion] disk mounted with noexec
- is it useful?
#2405
Comments
fwiw, the |
I'm not 100% sure if this is best practice, but why not just do 'mount -oremount,exec /xyz', execute the commands, and then lock it up again with'-oremount,noexec'? AFAIK this works fine even for a hot system ... but maybe I just always got lucky ;-) |
Just confirmed and this works fine on my machine: $ mount |grep disk01
/dev/mapper/cdisk01 on /mnt/disk01 type ext4 (rw,nodev,noexec,noatime,discard)
$ sudo mount -oremount,exec /mnt/disk01/
$ mount |grep disk01
/dev/mapper/cdisk01 on /mnt/disk01 type ext4 (rw,nodev,noatime,discard)
$ sudo mount -oremount,noexec /mnt/disk01/
$ mount |grep disk01
/dev/mapper/cdisk01 on /mnt/disk01 type ext4 (rw,nodev,noexec,noatime,discard) |
As discussed with rootzoll the noexec on the disk / storage partition is useful because it limits the ability of any potential malware on the disk. |
The disk is currently mounted with
noexec
in the/etc/fstab
so nothing on it can be executed.For now we need to store any extensions (#2404) and C-lightning plugins on the SDcard and redownload them after SDcard changes unless this changes.
noexec
is applied in the RaspiBolt guide (https://stadicus.github.io/RaspiBolt/raspibolt_20_pi.html#format-external-drive-and-mount), but does it have a real security benefit?The text was updated successfully, but these errors were encountered: