CCE-91116-4Platform: cpe:/o:ubuntu:ubuntu_linux:14.04 | Date: (C)2017-03-14 (M)2023-07-04 |
Add nosuid Option to /run/shm Partition (Scored)
The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program.
Parameter:
[]
Technical Mechanism:
Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them.
Fix:
Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information.
# mount -o remount,nosuid /run/shm
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.8 | Attack Vector: LOCAL |
Exploit Score: 2.0 | Attack Complexity: LOW |
Impact Score: 6.0 | Privileges Required: LOW |
Severity: HIGH | User Interaction: NONE |
Vector: AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | Scope: CHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:33838 |