/dev/shm
Having just gotten around to installing 12.1, I've noticed that I've gained a /dev/shm tmpfs filesystem. What's the deal with this? From quick google searches, amongst all the mis-information I've found a bit of detail and that it belongs to the libc6 posix shared memory implementation. Is this a new implementation of the, SysV IPC shmctl(2) et al, or is it something new?
Though its not a major issue for me, I like to run a tight ship and what concerns me is that /dev/shm appears to be a world writable filesystem and that it can be abused by putting files directly in it as such.... Code:
bash-3.1$ free Now, I could reduce the max size of the tmpfs filesystem it sits on to mitigate risk, but I just don't like having this thing world writable on principle. You can protect most resources with ulimit setting or filesystem quotas, but there doesn't seem to be any per user or per process settings in regard to shm that I can find and even if they did exist, the world writable directory would just allow an attacker to bypass them anyway. Please, is there anyone out there that can explain to me what this new world writable filesystem is all about and whether I can do anything to tighten this up, or is it just something I have to live with. SysV IPC Shared Memory seemed to work fine in the past without it. UPDATE: I've found a little more. Hidden in the kernel documentation for the tmpfs filesystem is this... Quote:
|
The proprietary ATI display drivers expect a tmpfs. So do QEMU's accelerator kernel module 'kqemu' and the JACK audio connection kit. Maybe more programs that I am not aware of.
None of those ship with Slackware by default so it should be safe to remove that line from fstab. Eric |
Thanks Eric. I feel happier now I know its something new rather than a reworking of the old SysV stuff.
Technically, I guess there's not much difference between the way this works and a malicious/errant program using up all of the SYSV Shared memory pool, or even /tmp for that matter. I guess that with /dev/shm its just easier to do it from the shell. Anyway, I've decided to leave it in there but shrink the size a little as the default is quite large and to add noexec,nodev,nosuid to the fstab entry as below to make me feel a little better about it being world writable. tmpfs /dev/shm tmpfs size=256m,noexec,nodev,nosuid Hopefully, this won't break anything. |
All times are GMT -5. The time now is 11:42 PM. |