Hi all,
I have FCOS 37 deployed to ~100 remotely managed systems. I need to apply the noexec flag to the /var partition on these systems. I found this page Configuring Storage :: Fedora Docs which talks about how this flag might be applied to a butane config, but I cannot use this as this is can only be applied during the initial provisioning and these systems are already deployed remotely. There is no /etc/fstab file on FCOS 37, so I don’t think that the flag may be applied by editing the fstab.
How do I configure the system to mount the /var partition with the noexec flag?
I know nothing about Fedora CoreOS beyond its intersection with Silverblue, but if you did something like this from your link:
filesystems:
- path: /var
device: /dev/disk/by-partlabel/var
# We can select the filesystem we'd like.
format: ext4
# Ask Butane to generate a mount unit for us so that this filesystem
# gets mounted in the real root.
with_mount_unit: true
I’d expect you have a /etc/systemd/system/var.mount. In any case, systemctl cat /var should show you where the mount is defined.
In lieu of editing that file, you could create a drop-in: /etc/systemd/system/var.mount.d/noexec.conf:
[Mount]
Options=noexec
Note that this would override any options already set in the main unit file.
if you want to create your own mount unit then you can just drop this and define it separately or you could leave it and do the /etc/systemd/system/var.mount.d/noexec.conf as suggested by @chrisawi.