NEWS: start section for 231, with tmpfs.mount option changes (#3576)

This documents the "add nosuid and nodev options to tmp.mount" change from commit 2f9df7c96a.
2016-06-22 13:22:47 +02:00 · 2016-06-22 13:22:47 +02:00 · 5cd118bab0
parent 98471bf0fa
commit 5cd118bab0
1 changed files with 14 additions and 0 deletions
--- a/14
+++ b/14
@ -1,5 +1,19 @@
 systemd System and Service Manager

+CHANGES WITH 231:
+
+        * When using systemd's default tmp.mount for /tmp, this will now be
+          mounted with the "nosuid" and "nodev" options. This avoids
+          privilege escalation attacks that put traps and exploits into /tmp.
+          However, this might cause some problems if you e. g. put container
+          images or overlays into /tmp; if you need this, override tmp.mount's
+          "Options=" with a drop-in, or mount /tmp from /etc/fstab with your
+          desired options.
+
+        Contributions from: ...
+
+        — Somewhere, 2016-XX-XX
+
 CHANGES WITH 230:

        * DNSSEC is now turned on by default in systemd-resolved (in