Hello Kicksecure Community,
I have been researching tmpfs and optimal ways to mount places to it in my Kicksecure morph install without conflicting with anything like grub-live
, systemd-fstab-generator
, and swap-file-creator
.
What lead me down this rabit hole was how someone in a “group chat” mentioned how they mounted their /tmp and their /.cache directories to tmpfs essentially making them in volatile memory given they don’t swap.
I dont believe I did it correctly which is leading me to ask here. While some of this might or might not be Kicksecure specific see fstab-vm
bellow, I felt this would be a good place to ask since it seems like alot of security researchers and people that know better about linux are here. Who knows maybe this might help someone else or start a wiki entry about this topic.
Alrighty then, I first noticed a error message at boot which I thought at the time was a related conflict to booting into “Live Mode” but I tested that theory my booting normally and it showed both ways.
journalctl -b -p err | head -n 3
May 04 21:26:43 laptop systemd-fstab-generator[394]: Failed to create unit file '/run/systemd/generator/-.mount', as it already exists. Duplicate entry in '/etc/fstab'?
May 04 21:26:43 laptop systemd-fstab-generator[394]: Failed to create unit file '/run/systemd/generator/tmp.mount', as it already exists. Duplicate entry in '/etc/fstab'?
May 04 21:26:43 laptop (sd-execut[390]: /usr/lib/systemd/system-generators/systemd-fstab-generator failed with exit status 1.
cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a device; this may
# be used with UUID= as a more robust way to name devices that works even if
# disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
UUID=7908-0C4D /boot/efi vfat defaults,noatime 0 2
/dev/mapper/luks-90aa4338-82d9-4f48-97f1-ad86a6dfc4bf / ext4 defaults,noatime,discard 0 1
/dev/mapper/luks-a3e63f9c-a3bb-4414-b1c4-f08ade4ca71d swap swap defaults,noatime,discard 0 0
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
# .cache
tmpfs /home/user/.cache tmpfs defaults,noatime,mode=1777 0 0
overlay / overlay rw 0 0
tmpfs /tmp tmpfs nosuid,nodev 0 0
- Whats better?
Is the duplicate entry line better for /tmp to tmpfs in /etc/fstab
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
I distro morphed this install so I’m not sure what came with debian and what came with kicksecure.
Looking at fstab-vm file in the security-misc
repository made me look into if that this the incorrect way to mount and confusion?
Looking at line #23 doesn’t seem right in formatting and why use bind in conjunction wouldn’t that not align with creating a new tmpfs instance?
tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0
- ~/.cache mounted to tmpfs
What is better for mounting user cache to tmpfs?
Is it or rather would it be better to just mount /tmp to tmpfs then symlink ~/.cache to /temp
sudo mount -t tmpfs -o defaults,nosuid,nodev,noexec tmpfs /tmp && ln -s /tmp/.cache ~/.cache
Or should setting the XDG_CACHE_HOME
variable to /tmp/$USER/.cache be better?
export XDG_CACHE_HOME="/tmp/$USER/.cache"
However don’t most apps not always respect the xdg spec always?
- Can I have my cake and eat it too?
Can I have both the /tmp to /tmpfs and XDG_CACHE_HOME set without issue or is it unnecessary?
- Issues related to “Live Mode” and encrypted swap with tmpfs mounts?
Is there any issue/bottleneck/conflicts with mounting .cache and /tmp to tmpfs with grub-live
implementation?
If I or another user have these mount points is there gonna be existing issue when the times I might boot into “Live Mode”?