Merge pull request #17238 from keszybz/man-tmp-noexec

Say that noexec should not be used for /tmp

docs/TEMPORARY_DIRECTORIES.md

@@ -1,10 +1,10 @@
 ---
-title: Using /tmp/ And /var/tmp/ Safely
+title: Using /tmp/ and /var/tmp/ Safely
 category: Interfaces
 layout: default
 ---
 
-# Using `/tmp/` And `/var/tmp/` Safely
+# Using `/tmp/` and `/var/tmp/` Safely
 
 `/tmp/` and `/var/tmp/` are two world-writable directories Linux systems
 provide for temporary files. The former is typically on `tmpfs` and thus

man/bootup.xml

@@ -227,7 +227,7 @@ emergency.service    |              |              |
     <filename>initrd-root-fs.target</filename> is reached. The service
     <filename>initrd-parse-etc.service</filename> scans
     <filename>/sysroot/etc/fstab</filename> for a possible
-    <filename>/usr</filename> mount point and additional entries
+    <filename>/usr/</filename> mount point and additional entries
     marked with the <emphasis>x-initrd.mount</emphasis> option. All
     entries found are mounted below <filename>/sysroot</filename>, and
     <filename>initrd-fs.target</filename> is reached. The service

man/busctl.xml

@@ -357,9 +357,9 @@
           <para>Controls whether credential data reported by
           <command>list</command> or <command>status</command> shall
           be augmented with data from
-          <filename>/proc</filename>. When this is turned on, the data
+          <filename>/proc/</filename>. When this is turned on, the data
           shown is possibly inconsistent, as the data read from
-          <filename>/proc</filename> might be more recent than the rest of
+          <filename>/proc/</filename> might be more recent than the rest of
           the credential information. Defaults to <literal>yes</literal>.</para>
         </listitem>
       </varlistentry>

man/file-hierarchy.xml

@@ -127,20 +127,23 @@
         <term><filename>/tmp/</filename></term>
         <listitem><para>The place for small temporary files. This directory is usually mounted as a
         <literal>tmpfs</literal> instance, and should hence not be used for larger files. (Use
-        <filename>/var/tmp/</filename> for larger files.) Since the directory is accessible to other users of
-        the system, it is essential that this directory is only written to with the <citerefentry
-        project='man-pages'><refentrytitle>mkstemp</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
-        <citerefentry
-        project='man-pages'><refentrytitle>mkdtemp</refentrytitle><manvolnum>3</manvolnum></citerefentry> and
-        related calls. This directory is usually flushed at boot-up. Also, files that are not accessed within
-        a certain time are usually automatically deleted. If applications find the environment variable
-        <varname>$TMPDIR</varname> set, they should prefer using the directory specified in it over directly
-        referencing <filename>/tmp/</filename> (see <citerefentry
+        <filename>/var/tmp/</filename> for larger files.) This directory is usually flushed at boot-up. Also,
+        files that are not accessed within a certain time may be automatically deleted.</para>
+
+        <para>If applications find the environment variable <varname>$TMPDIR</varname> set, they should use
+        the directory specified in it instead of <filename>/tmp/</filename> (see <citerefentry
         project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> and
         <ulink url="http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_03">IEEE
-        Std 1003.1</ulink> for details). For further details about this directory, see <ulink
-        url="https://systemd.io/TEMPORARY_DIRECTORIES">Using /tmp/ And /var/tmp/
-        Safely</ulink>.</para></listitem>
+        Std 1003.1</ulink> for details).</para>
+
+        <para>Since <filename>/tmp/</filename> is accessible to other users of the system, it is essential
+        that files and subdirectories under this directory are only created with <citerefentry
+        project='man-pages'><refentrytitle>mkstemp</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+        <citerefentry
+        project='man-pages'><refentrytitle>mkdtemp</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+        and similar calls. For more details, see <ulink url="https://systemd.io/TEMPORARY_DIRECTORIES">Using
+        /tmp/ and /var/tmp/ Safely</ulink>.</para>
+        </listitem>
       </varlistentry>
 
     </variablelist>
@@ -334,20 +337,22 @@
         <term><filename>/var/tmp/</filename></term>
         <listitem><para>The place for larger and persistent temporary files. In contrast to
         <filename>/tmp/</filename>, this directory is usually mounted from a persistent physical file system
-        and can thus accept larger files. (Use <filename>/tmp/</filename> for smaller files.) This directory
-        is generally not flushed at boot-up, but time-based cleanup of files that have not been accessed for
-        a certain time is applied. The same security restrictions as with <filename>/tmp/</filename> apply,
-        and hence only <citerefentry
+        and can thus accept larger files. (Use <filename>/tmp/</filename> for small ephemeral files.) This
+        directory is generally not flushed at boot-up, but time-based cleanup of files that have not been
+        accessed for a certain time is applied.</para>
+
+        <para>If applications find the environment variable <varname>$TMPDIR</varname> set, they should use
+        the directory specified in it instead of <filename>/var/tmp/</filename> (see <citerefentry
+        project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
+        details).</para>
+
+        <para>The same security restrictions as with <filename>/tmp/</filename> apply: <citerefentry
         project='man-pages'><refentrytitle>mkstemp</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
         <citerefentry
-        project='man-pages'><refentrytitle>mkdtemp</refentrytitle><manvolnum>3</manvolnum></citerefentry> or
-        similar calls should be used to make use of this directory.  If applications find the environment
-        variable <varname>$TMPDIR</varname> set, they should prefer using the directory specified in it over
-        directly referencing <filename>/var/tmp/</filename> (see <citerefentry
-        project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
-        details). For further details about this directory, see <ulink
-        url="https://systemd.io/TEMPORARY_DIRECTORIES">Using /tmp/ And /var/tmp/
-        Safely</ulink>.</para></listitem>
+        project='man-pages'><refentrytitle>mkdtemp</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+        and similar calls should be used. For further details about this directory, see <ulink
+        url="https://systemd.io/TEMPORARY_DIRECTORIES">Using /tmp/ and /var/tmp/ Safely</ulink>.</para>
+        </listitem>
       </varlistentry>
 
     </variablelist>
@@ -584,6 +589,19 @@
     directives of service units (see
     <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
     for details).</para>
+
+    <para><filename>/tmp/</filename>, <filename>/var/tmp/</filename> and <filename>/dev/shm/</filename>
+    should be mounted <option>nosuid</option> and <option>nodev</option>, which means that set-user-id mode
+    and character or block special devices are not interpreted on those file systems. In general it is not
+    possible to mount them <option>noexec</option>, because various programs use those directories for
+    dynamically generated or optimized code, and with that flag those use cases would break. Using this flag
+    is OK on special-purpose installations or systems where all software that may be installed is known and
+    doesn't require such functionality. See the discussion of
+    <option>nosuid</option>/<option>nodev</option>/<option>noexec</option> in <citerefentry
+    project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum></citerefentry> and
+    <constant>PROT_EXEC</constant> in <citerefentry
+    project='man-pages'><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry>.
+    </para>
   </refsect1>
 
   <refsect1>

man/hwdb.xml

@@ -31,12 +31,12 @@
       the local administration directory <filename>/etc/udev/hwdb.d</filename>.
       All hwdb files are collectively sorted and processed in lexical order,
       regardless of the directories in which they live. However, files with
-      identical filenames replace each other. Files in <filename>/etc</filename>
+      identical filenames replace each other. Files in <filename>/etc/</filename>
       have the highest priority and take precedence over files with the same
-      name in <filename>/usr/lib</filename>. This can be used to override a
+      name in <filename>/usr/lib/</filename>. This can be used to override a
       system-supplied hwdb file with a local file if needed;
-      a symlink in <filename>/etc</filename> with the same name as a hwdb file in
-      <filename>/usr/lib</filename>, pointing to <filename>/dev/null</filename>,
+      a symlink in <filename>/etc/</filename> with the same name as a hwdb file in
+      <filename>/usr/lib/</filename>, pointing to <filename>/dev/null</filename>,
       disables that hwdb file entirely. hwdb files must have the extension
       <filename>.hwdb</filename>; other extensions are ignored.</para>
 

man/journald.conf.xml

@@ -216,7 +216,7 @@
         with <literal>Runtime</literal> apply to the journal files
         when stored on a volatile in-memory file system, more
         specifically <filename>/run/log/journal</filename>. The former
-        is used only when <filename>/var</filename> is mounted,
+        is used only when <filename>/var/</filename> is mounted,
         writable, and the directory
         <filename>/var/log/journal</filename> exists. Otherwise, only
         the latter applies. Note that this means that during early

man/kernel-command-line.xml

@@ -131,15 +131,15 @@
         <listitem>
           <para>This parameter controls whether the system shall boot up in volatile mode. Takes a boolean argument, or
           the special value <literal>state</literal>. If false (the default), normal boot mode is selected, the root
-          directory and <filename>/var</filename> are mounted as specified on the kernel command line or
+          directory and <filename>/var/</filename> are mounted as specified on the kernel command line or
           <filename>/etc/fstab</filename>, or otherwise configured. If true, full state-less boot mode is selected. In
           this case the root directory is mounted as volatile memory file system (<literal>tmpfs</literal>), and only
-          <filename>/usr</filename> is mounted from the file system configured as root device, in read-only mode. This
+          <filename>/usr/</filename> is mounted from the file system configured as root device, in read-only mode. This
           enables fully state-less boots were the vendor-supplied OS is used as shipped, with only default
-          configuration and no stored state in effect, as <filename>/etc</filename> and <filename>/var</filename> (as
+          configuration and no stored state in effect, as <filename>/etc/</filename> and <filename>/var/</filename> (as
           well as all other resources shipped in the root file system) are reset at boot and lost on shutdown. If this
           setting is set to <literal>state</literal> the root file system is mounted read-only, however
-          <filename>/var</filename> is mounted as a volatile memory file system (<literal>tmpfs</literal>), so that the
+          <filename>/var/</filename> is mounted as a volatile memory file system (<literal>tmpfs</literal>), so that the
           system boots up with the normal configuration applied, but all state reset at boot and lost at shutdown. If
           this setting is set to <literal>overlay</literal> the root file system is set up as
           <literal>overlayfs</literal> mount combining the read-only root directory with a writable

man/loginctl.xml

@@ -238,7 +238,7 @@
 
         <listitem><para>Persistently attach one or more devices to a
         seat. The devices should be specified via device paths in the
-        <filename>/sys</filename> file system. To create a new seat,
+        <filename>/sys/</filename> file system. To create a new seat,
         attach at least one graphics card to a previously unused seat
         name. Seat names may consist only of a–z, A–Z, 0–9,
         <literal>-</literal> and <literal>_</literal> and must be

man/machine-id.xml

@@ -111,7 +111,7 @@
 
     <para><citerefentry><refentrytitle>systemd-machine-id-commit.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
     will attempt to write the machine ID to the file system if
-    <filename>/etc/machine-id</filename> or <filename>/etc</filename> are read-only during
+    <filename>/etc/machine-id</filename> or <filename>/etc/</filename> are read-only during
     early boot but become writable later on.</para>
   </refsect1>
 

man/machinectl.xml

@@ -64,8 +64,8 @@
 
     <itemizedlist>
       <listitem><para>Directory trees containing an OS, including the
-      top-level directories <filename>/usr</filename>,
-      <filename>/etc</filename>, and so on.</para></listitem>
+      top-level directories <filename>/usr/</filename>,
+      <filename>/etc/</filename>, and so on.</para></listitem>
 
       <listitem><para>btrfs subvolumes containing OS trees, similar to regular directory trees.</para></listitem>
 
@@ -440,11 +440,11 @@
         <term><command>clean</command></term>
 
         <listitem><para>Remove hidden VM or container images (or all). This command removes all hidden machine images
-        from <filename>/var/lib/machines</filename>, i.e. those whose name begins with a dot. Use <command>machinectl
+        from <filename>/var/lib/machines/</filename>, i.e. those whose name begins with a dot. Use <command>machinectl
         list-images --all</command> to see a list of all machine images, including the hidden ones.</para>
 
         <para>When combined with the <option>--all</option> switch removes all images, not just hidden ones. This
-        command effectively empties <filename>/var/lib/machines</filename>.</para>
+        command effectively empties <filename>/var/lib/machines/</filename>.</para>
 
         <para>Note that commands such as <command>machinectl pull-tar</command> or <command>machinectl
         pull-raw</command> usually create hidden, read-only, unmodified machine images from the downloaded image first,
@@ -562,7 +562,7 @@
         <command>import-tar</command> is used, the file specified as
         the first argument should be a tar archive, possibly compressed
         with xz, gzip or bzip2. It will then be unpacked into its own
-        subvolume in <filename>/var/lib/machines</filename>. When
+        subvolume in <filename>/var/lib/machines/</filename>. When
         <command>import-raw</command> is used, the file should be a
         qcow2 or raw disk image, possibly compressed with xz, gzip or
         bzip2. If the second argument (the resulting image name) is
@@ -890,7 +890,7 @@
     <filename>/usr/lib/machines/</filename>. For compatibility reasons,
     the directory <filename>/var/lib/container/</filename> is
     searched, too. Note that images stored below
-    <filename>/usr</filename> are always considered read-only. It is
+    <filename>/usr/</filename> are always considered read-only. It is
     possible to symlink machines images from other directories into
     <filename>/var/lib/machines/</filename> to make them available for
     control with <command>machinectl</command>.</para>

man/nss-myhostname.xml

@@ -57,7 +57,7 @@
     hostname. When using dynamic hostnames, this is traditionally
     achieved by patching <filename>/etc/hosts</filename> at the same
     time as changing the hostname. This is problematic since it
-    requires a writable <filename>/etc</filename> file system and is
+    requires a writable <filename>/etc/</filename> file system and is
     fragile because the file might be edited by the administrator at
     the same time. With <command>nss-myhostname</command> enabled,
     changing <filename>/etc/hosts</filename> is unnecessary, and on

man/org.freedesktop.import1.xml

@@ -156,7 +156,7 @@ node /org/freedesktop/import1 {
       operation (as in that case we know the total size on disk). If a socket or pipe is specified, progress information is not
       available. The file descriptor argument is followed by a local name for the image. This should be a
       name suitable as a hostname and will be used to name the imported image below
-      <filename>/var/lib/machines</filename>. A tar import is placed as a directory tree or a
+      <filename>/var/lib/machines/</filename>. A tar import is placed as a directory tree or a
       <citerefentry project="man-pages"><refentrytitle>btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
       subvolume below <filename>/var/lib/machines/</filename> under the specified name with no suffix
       appended. A raw import is placed as a file in <filename>/var/lib/machines/</filename> with the

man/org.freedesktop.login1.xml

@@ -504,7 +504,7 @@ node /org/freedesktop/login1 {
       stored on disk.</para>
 
       <para><function>AttachDevice()</function> may be used to assign a specific device to a specific
-      seat. The device is identified by its <filename>/sys</filename> path and must be eligible for seat
+      seat. The device is identified by its <filename>/sys/</filename> path and must be eligible for seat
       assignments. <function>AttachDevice()</function> takes three arguments: the seat id, the sysfs path,
       and a boolean for controlling polkit interactivity (see below). Device assignments are persistently
       stored on disk. To create a new seat, simply specify a previously unused seat id. For more information

man/org.freedesktop.systemd1.xml

@@ -1288,11 +1288,11 @@ node /org/freedesktop/systemd1 {
       file.</para>
 
       <para><function>EnableUnitFiles()</function> may be used to enable one or more units in the system (by
-      creating symlinks to them in <filename>/etc</filename> or <filename>/run</filename>). It takes a list
+      creating symlinks to them in <filename>/etc/</filename> or <filename>/run/</filename>). It takes a list
       of unit files to enable (either just file names or full absolute paths if the unit files are residing
       outside the usual unit search paths) and two booleans: the first controls whether the unit shall be
-      enabled for runtime only (true, <filename>/run</filename>), or persistently (false,
-      <filename>/etc</filename>). The second one controls whether symlinks pointing to other units shall be
+      enabled for runtime only (true, <filename>/run/</filename>), or persistently (false,
+      <filename>/etc/</filename>). The second one controls whether symlinks pointing to other units shall be
       replaced if necessary. This method returns one boolean and an array of the changes made. The boolean
       signals whether the unit files contained any enablement information (i.e. an [Install]) section. The
       changes array consists of structures with three strings: the type of the change (one of
@@ -1301,7 +1301,7 @@ node /org/freedesktop/systemd1 {
       format.</para>
 
       <para>Similarly, <function>DisableUnitFiles()</function> disables one or more units in the system,
-      i.e. removes all symlinks to them in <filename>/etc</filename> and <filename>/run</filename>.</para>
+      i.e. removes all symlinks to them in <filename>/etc/</filename> and <filename>/run/</filename>.</para>
 
       <para>The <function>EnableUnitFilesWithFlags()</function> and <function>DisableUnitFilesWithFlags()</function>
       take in options as flags instead of booleans to allow for extendability, defined as follows:</para>
@@ -1425,7 +1425,7 @@ node /org/freedesktop/systemd1 {
       flag. Taints may be used to lower the chance of bogus bug reports. The following taints are currently
       known: <literal>split-usr</literal>, <literal>mtab-not-symlink</literal>,
       <literal>cgroups-missing</literal>, <literal>local-hwclock</literal>. <literal>split-usr</literal> is
-      set if <filename>/usr</filename> is not pre-mounted when systemd is first invoked. See
+      set if <filename>/usr/</filename> is not pre-mounted when systemd is first invoked. See
       <ulink url="http://freedesktop.org/wiki/Software/systemd/separate-usr-is-broken">
       Booting Without /usr is Broken</ulink>
       for details why this is bad. <literal>mtab-not-symlink</literal> indicates that
@@ -2094,11 +2094,11 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
       <literal>disabled</literal>, and <literal>invalid</literal>. <literal>enabled</literal> indicates that a
       unit file is permanently enabled. <literal>enable-runtime</literal> indicates the unit file is only
       temporarily enabled and will no longer be enabled after a reboot (that means, it is enabled via
-      <filename>/run</filename> symlinks, rather than <filename>/etc</filename>). <literal>linked</literal>
-      indicates that a unit is linked into <filename>/etc</filename> permanently. <literal>linked-runtime</literal>
-      indicates that a unit is linked into <filename>/run</filename> temporarily (until the next
+      <filename>/run/</filename> symlinks, rather than <filename>/etc/</filename>). <literal>linked</literal>
+      indicates that a unit is linked into <filename>/etc/</filename> permanently. <literal>linked-runtime</literal>
+      indicates that a unit is linked into <filename>/run/</filename> temporarily (until the next
       reboot). <literal>masked</literal> indicates that the unit file is masked permanently.
-      <literal>masked-runtime</literal> indicates that it is masked in <filename>/run</filename> temporarily
+      <literal>masked-runtime</literal> indicates that it is masked in <filename>/run/</filename> temporarily
       (until the next reboot). <literal>static</literal> indicates that the unit is statically enabled, i.e.
       always enabled and doesn't need to be enabled explicitly. <literal>invalid</literal> indicates that it
       could not be determined whether the unit file is enabled.</para>

man/os-release.xml

@@ -59,7 +59,7 @@
     <filename>/etc/os-release</filename> should be a relative symlink
     to <filename>/usr/lib/os-release</filename>, to provide
     compatibility with applications only looking at
-    <filename>/etc</filename>. A relative symlink instead of an
+    <filename>/etc/</filename>. A relative symlink instead of an
     absolute symlink is necessary to avoid breaking the link in a
     chroot or initrd environment such as dracut.</para>
 

man/sd-login.xml

@@ -46,8 +46,8 @@
     systemd-logind, instead.</para>
 
     <para>These functions synchronously access data in
-    <filename>/proc</filename>, <filename>/sys/fs/cgroup</filename>
-    and <filename>/run</filename>. All of these are virtual file
+    <filename>/proc/</filename>, <filename>/sys/fs/cgroup/</filename>
+    and <filename>/run/</filename>. All of these are virtual file
     systems, hence the runtime cost of the accesses is relatively
     cheap.</para>
 

man/sd_bus_creds_new_from_pid.xml

@@ -183,7 +183,7 @@
     for the credential fields that could not be determined atomically
     at peer connection time, and which were later added by reading
     augmenting credential data from
-    <filename>/proc</filename>. Similarly, for credential objects
+    <filename>/proc/</filename>. Similarly, for credential objects
     retrieved via <function>sd_bus_get_owner_creds()</function>, the
     mask is set for the fields that could not be determined atomically
     at bus creation time, but have been augmented. Similarly, for
@@ -243,7 +243,7 @@
 
     <para><function>sd_bus_creds_get_augmented_mask()</function>
     returns the mask of fields that have been augmented from data in
-    <filename>/proc</filename>, and are thus not suitable for
+    <filename>/proc/</filename>, and are thus not suitable for
     authorization decisions.</para>
 
     <para><function>sd_bus_creds_ref()</function> always returns the

man/sd_is_fifo.xml

@@ -158,7 +158,7 @@
     <constant>NULL</constant>, it is checked whether the file
     descriptor is bound to the specified filename. Special files in
     this context are character device nodes and files in
-    <filename>/proc</filename> or <filename>/sys</filename>.</para>
+    <filename>/proc/</filename> or <filename>/sys/</filename>.</para>
   </refsect1>
 
   <refsect1>

man/sd_notify.xml

@@ -222,7 +222,7 @@
         <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>.  This is
         useful for implementing services that can restart after an explicit request or a crash without losing
         state. Any open sockets and other file descriptors which should not be closed during the restart may be stored
-        this way. Application state can either be serialized to a file in <filename>/run</filename>, or better, stored
+        this way. Application state can either be serialized to a file in <filename>/run/</filename>, or better, stored
         in a <citerefentry><refentrytitle>memfd_create</refentrytitle><manvolnum>2</manvolnum></citerefentry> memory
         file descriptor. Note that the service manager will accept messages for a service only if its
         <varname>FileDescriptorStoreMax=</varname> setting is non-zero (defaults to zero, see

man/sd_pid_get_owner_uid.xml

@@ -232,7 +232,7 @@
     <function>sd_peer_get_cgroup()</function> calls operate similar to
     their PID counterparts, but operate on a connected AF_UNIX socket
     and retrieve information about the connected peer process. Note
-    that these fields are retrieved via <filename>/proc</filename>,
+    that these fields are retrieved via <filename>/proc/</filename>,
     and hence are not suitable for authorization purposes, as they are
     subject to races.</para>
   </refsect1>