We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

/dev/shm missing from /etc/fstab: what's the syntax to add it to fstab?

sunhux
sunhux asked
on
Medium Priority
166 Views
Last Modified: 2020-01-09
I wanted to set 'nosuid,noexec,nodev'  on /dev/shm partition
so that the settings stay across reboots.  However, can't see
this partition being listed in my fstab as shown below:

What should I add into fstab? Or this is done in another file?

$ cat fstab
# /etc/fstab
# Created by anaconda on Thu Nov  1 22:13:57 2018
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/rhel-root   /                       xfs     defaults        0 0
UUID=023c84eb-dcc5-4ea9-9841-fc936246dd98 /boot                   xfs     defaults        0 0
/dev/mapper/rhel-home   /home                   xfs     defaults,nodev,relatime        0 0
/dev/mapper/rhel-tmp    /tmp                    xfs     defaults,nodev,nosuid,noexec        0 0
/dev/mapper/rhel-var    /var                    xfs     defaults        0 0
/dev/mapper/rhel-swap   swap                    swap    defaults        0 0
# NFS Shared drive from Bootstrap node
10.121.0.43:/JPOM/efs    /efs   nfs    defaults 0 0

$ df
Filesystem            1K-blocks    Used Available Use% Mounted on
/dev/mapper/rhel-root  30254660 3818732  26435928  13% /
devtmpfs                8121512       0   8121512   0% /dev
tmpfs                   8133368       0   8133368   0% /dev/shm         <==
tmpfs                   8133368  786484   7346884  10% /run
tmpfs                   8133368       0   8133368   0% /sys/fs/cgroup
/dev/sda1               1942528  189860   1752668  10% /boot
/dev/mapper/rhel-home   5851136   33004   5818132   1% /home
/dev/mapper/rhel-var   51731784 2282524  49449260   5% /var
/dev/mapper/rhel-tmp    9754624   33108   9721516   1% /tmp
overlay                51731784 2282524  49449260   5% /var/lib/docker/overlay2/ea912a7aab77978c83a2722cc2a959fb29991315e58f7645b50abf7e977f8fd4/merged
shm                       65536       0     65536   0% /var/lib/docker/containers/9ecb9daecab1b8646ebcc4f3fd9d181745e68622277c8f0df2f3a2508b2afe11/shm
tmpfs                   1626676       0   1626676   0% /run/user/0
Comment
Watch Question

Software Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
shm is mounted by the system startup scripts, i think it already has those atttributes.

if /dev/shm is available it has been mounted.
On my system (gentoo) it is mounted: shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
(from : mount | grep shm )

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
its mounted on my system but without those attribs
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
My startup systems is openrc so i can't really help with systemd.
You will need to find the script/settings where the /dev/shm gets mounted.

maybe you can add a line along:

tmpfs    /dev/shm tmpfs nodev,nosuid,noexec,mode=1777 0 0

(if that get handled correctly before specials mounts are done.., i doubt it though, as /dev/shm needs to be created.)
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
1) /dev/shm is managed by the system, as noci stated.

2) If you muck about with startup files owned by the packaging system, they will eventually be overwritten + your changes lost.

3) Many security guides suggesting this are... no nice way to say this... brain dead... They make systems so secure, no code can run.

4) /dev/shm settings must be preserved for your Distro to work, so you can run a script in a CRON @reboot target to wait till /dev/shm appears, then change /dev/shm mount options. Just like your other question, making any changes like this can cause your machine to behave very oddly.

5) Here's what Ubuntu default options are...

net16 # lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.3 LTS
Release:	18.04
Codename:	bionic

net16 # mount | grep /dev/shm
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)

Open in new window

CERTIFIED EXPERT

Commented:
/dev/shm settings must be preserved for your Distro to work

hmm... afaik, only a few programs use /dev/shm and most distros should work without it at all
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
/dev/shm is used for POSIX shared memory, and POSIX IPC.  So it is used fairly invisible.
You may see it work in tools that use multiple processes to work together. Oracle RDBMS (SGA), Firefox, Chromium, ...
CERTIFIED EXPERT

Commented:
yeah. i don't usually see too much of that used in the bare os nor in that many server software, though. whatever the case, there is no reason why nosuid or noexec would hurt harmless programs.
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Oracle RDBMS is  server software..., also i found rspamd (spam filter solution) uses it to communicate between modules.

Author

Commented:
So  how should I set /dev/shm  as  'nosuid, noexec, nodev' :
put in cron, in  /etc/rc2.d/S1ofthescripts.sh

we're running containers/mesosphere (& I'm completely new
to this;  am only responsible to get the hardenings done):
will setting  'nosuid, ... '  hurt the containers & its services?
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
in crontab:

@reboot /bin/mount -o remount,nosuid,noexec,nodev tmpfs -t tmpfs /dev/shm 

Open in new window


For systemd /etc/init.d is NOT used. For now there is a compatibility layer for tooling that has no systemd script 'yet'.

Crontab is reasonably safe as it will be run when crond starts which is waily later in the boot process.
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
As noci suggested, the CRON @reboot target will work for either OpenRC or systemd systems.

The only change I'd make would be to put in a wait for /dev/shm to actually appear, prior to doing the remount, otherwise you'll have a race condition, where sometimes your remount will work + sometimes it will fail.
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
David, crond is started fairly late in startup sequence, the core mounts /sys , /tmp etc. need to be established well before this.
(/tmp, /sysetc. are done before the general mounts like /var where the spool directory for cron is).
So /dev/shm should be there well before crond has a chance to start.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.