Profile Applicability:
 • Level 1

Description:
The nosuid mount option prevents the operation of set-user-identifier (setuid) and set-group-identifier (setgid) bits on executable files in the mounted filesystem. Applying this option to /dev/shm helps prevent privilege escalation attacks originating from shared memory.

Rationale:
 Setting the nosuid option on /dev/shm reduces the risk that attackers can exploit setuid/setgid binaries or scripts in shared memory to gain elevated privileges.

Impact:
 Pros:

  • Mitigates privilege escalation attacks via setuid/setgid binaries in /dev/shm.

  • Enhances overall system security posture.

Cons:

  • May affect applications relying on setuid/setgid functionality in /dev/shm (rare).

Default Value:
 The nosuid option is commonly set on /dev/shm by default but should be verified.

Pre-requisites:

  • Root or sudo privileges to modify /etc/fstab and remount filesystems.

  • /dev/shm must be mounted as a separate tmpfs partition.

Remediation:

Test Plan:

Using Linux command line:

  1. Check current mount options for /dev/shm:

     mount | grep /dev/shm

  2. Verify if nosuid is set in /etc/fstab for /dev/shm:

     grep /dev/shm /etc/fstab
    Expected output: Mount options for /dev/shm include nosuid.


Implementation Plan:

Using Linux command line:

  1. Edit /etc/fstab to add nosuid to the /dev/shm mount options, for example:
    tmpfs  /dev/shm  tmpfs  defaults,nodev,nosuid,noexec  0  0

  2. Remount /dev/shm with the new options:

     mount -o remount,nosuid /dev/shm

  3. Verify mount options:

     mount | grep /dev/shm

Backout Plan:

Using Linux command line:

  1. Remove nosuid from /dev/shm mount options in /etc/fstab.

  2. Remount /dev/shm without nosuid:

     mount -o remount /dev/shm

  3. Verify mount options:

     mount | grep /dev/shm

References: