Skip to main content
Topic: Shared memory mounted read-only (Read 872 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Shared memory mounted read-only

Hello, i came across an article claiming that mounting shared memory in read-write mode can be dangerous and prone to exploits, quote "Because two or more processes can use the same memory space, it has been discovered that, since shared memory is, by default, mounted as read/write, the /run/shm space can be easily exploited" Later in the article they say mounting shm in read only mode can cause some problems though ex. google chrome. What can go wrong in artix if we mount shm in read-only mode if we don't use "ever" chrome. Another option less restrictive is "mount the shared memory with read/write access but without permission to execute programs, change the UID of running programs, or to create block or character devices in the namespace". If anyone know more about this aspect i would be very happy to hear your thoughts.  ;) . Thanks in advance in case anyone can tell more about this one

P.S. source is techrepublic

Re: Shared memory mounted read-only

Reply #1
I have no idea what article you are referring to, but tons of programs will of course use shared memory and need write access to /dev/shm. I'd expect tons of things to break if that is changed.

Re: Shared memory mounted read-only

Reply #2
Thanks for the advice this is the article

Re: Shared memory mounted read-only

Reply #4
The shm is not dismissed entirely just mounted read-only or the second less harsh version with read/write but without executing stuff from memory.
 

Re: Shared memory mounted read-only

Reply #5
The article is talking about servers in a data center which may use a limited and fixed number of apps, and suggests you simply test if it works on the installation in question.
But this may be relevant:
https://forum.artixlinux.org/index.php/topic,1830.0.html
That shows there have recently been changes to virtual memory file systems in the kernel to make them more restrictive by default, after that article was written. Possibly they mitigate these exploits - I don't know but it seems potentially linked, there must have been some reason for the changes.