Re: systemd unit file to remount /home /tmp /dev/shm /run with nosuid, nodev

[Lennart Poettering <lennart@xxxxxxxxxxxxxx>]

On Mo, 30.12.19 12:26, Mantas Mikulėnas (grawity@xxxxxxxxx) wrote:

> > a script to remount /home /tmp /dev/shm /run (configurable) with
> > nosuid,nodev (+noexec configurable) has been created by me. The purpose
> > of remounting is increasing the security of the system. The script shall
> > run as early as reasonably possible during boot.
> >
> > The systemd unit file [1] and script [2] attached below in a simplified
> > version or links to actual version. [3] [4] This is planned to be
> > enabled by default in a Debian derivative Linux distribution.
> >
>
> On a standard Debian system, the three tmpfs mounts (/run, /tmp, /dev/shm)
> *already have* the nosuid and nodev options – this is hardcoded in
> mount-setup.c. So you should first figure out why they are not present in
> your case to begin with.

And noexec doesn't really make much sense for these dirs, as this
blocks mmap() with MAP_EXEC and there are plenty apps that want to use
that. Moreover "noexec" is at best a protection against accidental
execution and not a security mechanism since it is trivially easy to
circumvent (just call the interpreter directly with the file to
execute as first arg, which for ELF means "/lib64/ld-linux-x86-64.so.2 $BINARY")

I mean, we'd set it by default if it worked and if it would lock
things down, but unfortunately it does neither really...

> All mounts exist as .mount units, so they can be overridden by custom
> .mount units and .mount.d/ drop-ins, similar to services.

/run and /dev/shm are considered "API" mounts, i.e. systemd mounts
them internally, and doesn't expose .mount units for them.

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel