linux-ext4.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: bugzilla-daemon@bugzilla.kernel.org
To: linux-ext4@vger.kernel.org
Subject: [Bug 203585] Feature Request for filesystems that support noexec/exec mount options
Date: Sun, 12 May 2019 17:46:00 +0000	[thread overview]
Message-ID: <bug-203585-13602-pdmBatM6g9@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-203585-13602@https.bugzilla.kernel.org/>

https://bugzilla.kernel.org/show_bug.cgi?id=203585

Theodore Tso (tytso@mit.edu) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |tytso@mit.edu
         Resolution|---                         |WILL_NOT_FIX

--- Comment #1 from Theodore Tso (tytso@mit.edu) ---
This is not at all trivial to implement, for a number of reasons:

*)  The kernel doesn't have access to the username to uid map.   It might be in
/etc/passwd; but you might also be using LDAP or Yellow Pages for the
username->uid map.   This could done by adding support for this to each file
system which implements this feature request's /sbin/mount.FSTYP, but...

*) This also begs the question of how to handle user namespaces.

The simplest way of solving this problem may be to change the web application
to write its temporary file in some other directory, and let that directory be
writable only by the web application's user id, and let that directory be
mounted without the noexec flag.  If you are using tmpfs, you can mount
multiple tmpfs instances, and create a special one which has mount options just
for that web application, with an fstab entry like this:

tmpfs /run/user/1042 tmpfs
rw,nosuid,nodev,relatime,size=2048k,mode=700,uid=1042,gid=1042 0 0

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

  reply	other threads:[~2019-05-12 17:46 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-12 17:21 [Bug 203585] New: Feature Request for filesystems that support noexec/exec mount options bugzilla-daemon
2019-05-12 17:46 ` bugzilla-daemon [this message]
2019-05-12 18:12 ` [Bug 203585] " bugzilla-daemon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-203585-13602-pdmBatM6g9@https.bugzilla.kernel.org/ \
    --to=bugzilla-daemon@bugzilla.kernel.org \
    --cc=linux-ext4@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).