Opened 6 months ago

Closed 4 months ago

Last modified 4 months ago

#929 closed Feature Request (fixed)

Set noexec, nodev, nosuid boot options on certain datasets during installation

Reported by: yggdrasil Owned by: kris
Priority: minor Milestone:
Component: Installer Version: 10.0-RELEASE
Keywords: Cc: trac-bugs@…

Description

Hi,

I'd like to have the installer set up the ZFS pool to mount datasets with security related mount options like OpenBSD does by default. Setting e.g. noexec and nosuid for /tmp, /var{/log,/tmp} etc.

Thank you

Change History (2)

comment:1 Changed 4 months ago by kris

  • Resolution set to fixed
  • Status changed from new to closed

Good thinking, I added it, along with ability to manually set exec/suid on other ZFS datasets.

https://github.com/pcbsd/pcbsd/commit/37284b2936a9b845b6fc09d6cbe82ac59629612a

comment:2 Changed 4 months ago by yggdrasil

I actually completely forgot about this one :D
I vaguely remember that in my test setting noexec on /tmp lead to problems building some ports, because for reasons I can't really fathom they use /tmp to execute some stuff?! I would REALLY like to have noexec /tmp, but I'm not sure how compatible this is with ports, just FYI.

Note: See TracTickets for help on using tickets.