Mount /tmp as noexec inside unpriviledged LXC container

M

mailinglists

Renowned Member
Mar 14, 2012
641
67
93
Hi,

i would like to mount /tmp with noexec inside unprivileged LXC container on PM 4.4 with ZFS.
I guess I could add anther mount point to LXC and then manually change parameters for mounting in config file for that container?

Is this the right way? How it should be done? Will PM overwrite my changes in some future update and/or operation?
 
Did you look into LXC's hooks? I suppose it should be possible to define mountopts in some mount hook.
 
I was not even aware they exist. If that's the only option, I will explore it.
If it's convenient for you, please post a link to documentation or give some examples.
If not, I will try and do it myself, when I get some free time.
 
Huh… according to the posts linked here we either overwrite custom settings when regenerating the config or ignore/bypass them altogether.
 
Tnx for your efforts. If I understand correctly, then this not possible at the moment. Even when set with LXC hooks, right?
I guess it would be a nice feature to have, since all my shared hosting machines ever, have had /tmp mounted noexec and nosuid.
 
For /tmp specifically it should be possible to do without a mountpoint. Most distros allow a mounting a tmpfs. So unless you require a shared mount for some reason you should be able to solve your issue simply by adding a proper entry to /etc/fstab in the container.
Code: 
tmpfs /tmp tmpfs rw,nodev,nosuid,noexec 0 0
 
Last edited:
pabernethy said:
For /tmp specifically it should be possible to do without a mountpoint. Most distros allow a mounting a tmpfs. So unless you require a shared mount for some reason you should be able to solve your issue simply by adding a proper entry to /etc/fstab in the container.
Code: 
tmpfs /tmp tmpfs rw,nodev,nosuid,noexec 0 0
Click to expand...

What if I want to mount /tmp on a dedicated partition with noexec option?

I defined a new mount point on the GUI console: Container => Resource => New Mount Point => size 5G, Path=/tmp
Edited /etc/fstab
Code: 
/dev/mapper/pve-vm--102--disk--2 /tmp ext4 rw,nodev,nosuid,noexec 0 0

But
Code: 
root@Debian-v9-3-Template-LXC:~# mount | grep -e \/tmp
/dev/mapper/pve-vm--102--disk--2 on /tmp type ext4 (rw,relatime,stripe=64,data=ordered)

There's a way to mount /tmp on separately partition with "noexec" option?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back