I believe this might be a security issue, as this happened in 2014, but would rather not pay $29 for "Premium Support".
It looks like the initramfs
is not always mounting the /run
partition as noexec
.
A stock Ubuntu 22.04
install shows the noexec
mount option is present (source), so I suspect one of the AWS modifications has affected this?
I can check four EC2 servers that are running Ubuntu 22.04.1 LTS
, three of them upgraded from Ubuntu 20.04.5
, the other started new a few weeks ago... oddly, two of the upgraded servers have kept the noexec
.
# New server
# Launched: Sep 02 2022
# AMI name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20220609
mount | grep '/run '
tmpfs on /run type tmpfs (rw,nosuid,nodev,size=803020k,nr_inodes=819200,mode=755,inode64)
uname -a
Linux HostB 5.15.0-1020-aws #24-Ubuntu SMP Thu Sep 1 16:04:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
# Upgraded server
# Launched: Apr 25 2022
# AMI name: ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20211129
mount | grep '/run '
tmpfs on /run type tmpfs (rw,nosuid,nodev,size=94812k,nr_inodes=819200,mode=755,inode64)
uname -a
Linux HostA 5.15.0-1020-aws #24-Ubuntu SMP Thu Sep 1 16:04:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
# Upgraded server
# Launched: Nov 16 2021
# AMI name: ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-20180522
mount | grep '/run '
tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=47408k,mode=755,inode64)
uname -a
Linux HostC 5.15.0-1020-aws #24-Ubuntu SMP Thu Sep 1 16:04:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
# Upgraded server
# Launched: Feb 10 2017
# AMI name: ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-20170113
mount | grep '/run '
tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=202012k,mode=755,inode64)
uname -a
Linux HostD 5.15.0-48-generic #54-Ubuntu SMP Fri Aug 26 13:26:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Update 2022-09-28: Thanks to Andrew Lowther, it looks like a temporary work around is to use the details in this initramfs does not get loaded bug report:
mv /etc/default/grub.d/40-force-partuuid.cfg{,.bak};
update-grub;