From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Sat, 3 Oct 2020 10:08:10 +0000 (+0200)
Subject: man: add a note about flags on /tmp and /var/tmp
X-Git-Tag: v247-rc1~116^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7ec2f5e00c56935e53aaf4c5ee5e9cb5a436cb6c;p=thirdparty%2Fsystemd.git

man: add a note about flags on /tmp and /var/tmp

Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1875340.
---

diff --git a/man/file-hierarchy.xml b/man/file-hierarchy.xml
index 2c80c2c1a9d..996876f48a3 100644
--- a/man/file-hierarchy.xml
+++ b/man/file-hierarchy.xml
@@ -589,6 +589,19 @@
     directives of service units (see
     <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
     for details).</para>
+
+    <para><filename>/tmp/</filename>, <filename>/var/tmp/</filename> and <filename>/dev/shm/</filename>
+    should be mounted <option>nosuid</option> and <option>nodev</option>, which means that set-user-id mode
+    and character or block special devices are not interpreted on those file systems. In general it is not
+    possible to mount them <option>noexec</option>, because various programs use those directories for
+    dynamically generated or optimized code, and with that flag those use cases would break. Using this flag
+    is OK on special-purpose installations or systems where all software that may be installed is known and
+    doesn't require such functionality. See the discussion of
+    <option>nosuid</option>/<option>nodev</option>/<option>noexec</option> in <citerefentry
+    project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum></citerefentry> and
+    <constant>PROT_EXEC</constant> in <citerefentry
+    project='man-pages'><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry>.
+    </para>
   </refsect1>
 
   <refsect1>