Remove noexec #864
Description
I'm opening this issue because I feel like this decision deserves some additional discussion: #826 (comment)
The way I see it, the addition of noexec was included in this PR the same way an NBA team might throw in an inconsequential player into a trade package to make it slightly more appealing. There's nothing wrong with that, but I think the decision deserves a little bit more discussion which is why I'm opening this issue.
The thing that led me to that PR was me trying to template a script and then execute it directly from the /run/secrets/rendered directory, which would have been the cleanest available option in the systemd service that I was writing. I was able to work around the limitation imposed by noexec by just copying the script into a working directory that wasn't mounted noexec, and I could have also worked around this issue by just calling bash on the location in the original secrets directory directly to interpret the file instead of trying to execute it.
The way I see it is the following:
- Mounting with
noexecprovides no substantial benefit in any real way; security, performance, etc. (I'm happy to be corrected in this regard) - It was only included as an afterthought
- It only serves to slightly increase friction when using templates
I think that we should remove the noexec mount option