Bug 1142055

Summary: /tmp mount not nodev,nosuid by default
Product: [openSUSE] openSUSE Tumbleweed Reporter: Fabian Vogt <fvogt>
Component: YaST2Assignee: YaST Team <yast-internal>
Status: CONFIRMED --- QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P5 - None CC: aschnell, jlopez, meissner, security-team
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://trello.com/c/7g7HUGpV
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Fabian Vogt 2019-07-18 14:29:26 UTC
I noticed that in a default install, the @/tmp subvolume mounted at /tmp does not have the nodev,nosuid options set by default.

This is recommended by most security guides and except in very rare cases without any downsides.

Using tmp.mount unit from systemd (which uses tmpfs), those flags are set.
Comment 1 José Iván López González 2019-07-19 08:38:36 UTC
Hi Fabian,

Thanks for reporting. Yes, right now we have no way to specify such options for each Btrfs subvolume. We have plans to improve it, this is something under our radar. We will track this card to take it into account. Thanks!