2.15 Add nosuid Option to /run/shm Partition

Information

The nosuid mount option specifies that the /run/shm (temporary filesystem stored in
memory) will not execute setuid and setgid on executable programs as such, but rather
execute them with the uid and gid of the user executing the program.

*Rationale*

Setting this option on a file system prevents users from introducing privileged programs
onto the system and allowing non-root users to execute them.

Solution

Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for
entries that have mount points that contain /run/shm. See the fstab(5) manual page for
more information.# mount -o remount,nosuid /run/shm

See Also

https://workbench.cisecurity.org/files/91

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|3.1, CSCv7|5.1

Plugin: Unix

Control ID: 3c216141143db356be272d2b80dcedf70c735adfc2a1a6499026de4d1c9e5ff0