Discussion:
Any reason why /run and /dev/shm do not have MS_NOEXEC flags set?
Add Reply
Hoyer, Marko (ADITG/SW2)
2017-02-01 10:02:01 UTC
Reply
Permalink
Raw Message
Hello,

a tiny question:
- Is there any reason why the mount points /run and /dev/shm do not have MS_NOEXEC flags set?

We like to remove execution capabilities from all volatile areas that are writeable to users for security reasons.

Best regards

Marko Hoyer
Michael Biebl
2017-02-01 10:19:44 UTC
Reply
Permalink
Raw Message
Post by Hoyer, Marko (ADITG/SW2)
- Is there any reason why the mount points /run and /dev/shm do not have
MS_NOEXEC flags set?
/run → https://www.freedesktop.org/wiki/Software/systemd/InitrdInterface/

the initrd can place executables in /run so it can cleanly
disasssemble the / file system

/dev/shm → the mount options have been like this for basically
forever. I assume changing that has the potential to break existing
software
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
Lennart Poettering
2017-02-01 10:24:08 UTC
Reply
Permalink
Raw Message
Post by Michael Biebl
Post by Hoyer, Marko (ADITG/SW2)
- Is there any reason why the mount points /run and /dev/shm do not have
MS_NOEXEC flags set?
/run → https://www.freedesktop.org/wiki/Software/systemd/InitrdInterface/
the initrd can place executables in /run so it can cleanly
disasssemble the / file system
/dev/shm → the mount options have been like this for basically
forever. I assume changing that has the potential to break existing
software
Also, some software uses these locations to place memory mapped files
with PROT_EXEC set, which setting MS_NOEXEC prohibits too.

Lennart
--
Lennart Poettering, Red Hat
Reindl Harald
2017-02-01 10:54:50 UTC
Reply
Permalink
Raw Message
Post by Hoyer, Marko (ADITG/SW2)
- Is there any reason why the mount points /run and /dev/shm do not have
MS_NOEXEC flags set?
We like to remove execution capabilities from all volatile areas that
are writeable to users for security reasons
it's all not that easy - see
https://bugzilla.redhat.com/show_bug.cgi?id=1398474 and
https://bugs.exim.org/show_bug.cgi?id=1749 and i am pretty sure other
pieces would break on case of noexec SHM (yes i know that these
bugreports are not about SHM, they are just a example)
Hoyer, Marko (ADITG/SW2)
2017-02-01 13:13:21 UTC
Reply
Permalink
Raw Message
Hi,

thanks to all for your fast feedback. I'll kick off an internal discussion based on the facts you delivered to find out if our people actually want what they want ;)

Best regards

Marko Hoyer
Software Group II (ADITG/SW2)

Tel. +49 5121 49 6948
-----Original Message-----
From: systemd-devel [mailto:systemd-devel-***@lists.freedesktop.org] On Behalf Of Reindl Harald
Sent: Mittwoch, 1. Februar 2017 11:55
To: systemd-***@lists.freedesktop.org
Subject: Re: [systemd-devel] Any reason why /run and /dev/shm do not have MS_NOEXEC flags set?
Post by Hoyer, Marko (ADITG/SW2)
- Is there any reason why the mount points /run and /dev/shm do not
have MS_NOEXEC flags set?
We like to remove execution capabilities from all volatile areas that
are writeable to users for security reasons
it's all not that easy - see
https://bugzilla.redhat.com/show_bug.cgi?id=1398474 and
https://bugs.exim.org/show_bug.cgi?id=1749 and i am pretty sure other pieces would break on case of noexec SHM (yes i know that these bugreports are not about SHM, they are just a example)


_______________________________________________
systemd-devel mailing list
systemd-***@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Topi Miettinen
2017-02-01 17:10:23 UTC
Reply
Permalink
Raw Message
Post by Hoyer, Marko (ADITG/SW2)
Hi,
thanks to all for your fast feedback. I'll kick off an internal discussion based on the facts you delivered to find out if our people actually want what they want ;)
Filesystem W^X is a nice idea, but considering scripting or other (even
unintentional) Turing complete interpreters in a system, its not very
strong protection. See also
https://lwn.net/Articles/708196/

In my setup I have mounted /run with noexec, but /run/user/* still exec.
Then for each service you can enable systemd directive ProtectHome=true
which makes /run/user inaccessible.

Likewise for /dev/shm, you can check if it is needed by each service at
all and make it completely inaccessible if so, rather than making it
globally noexec.

-Topi
Hoyer, Marko (ADITG/SW2)
2017-02-05 18:37:41 UTC
Reply
Permalink
Raw Message
Thx for the ideas. I'll bring them up in an internal discussion as well.

Best regards

Marko Hoyer
Software Group II (ADITG/SW2)

Tel. +49 5121 49 6948

-----Original Message-----
From: systemd-devel [mailto:systemd-devel-***@lists.freedesktop.org] On Behalf Of Topi Miettinen
Sent: Mittwoch, 1. Februar 2017 18:11
To: systemd-***@lists.freedesktop.org
Subject: Re: [systemd-devel] Any reason why /run and /dev/shm do not have MS_NOEXEC flags set?
Post by Hoyer, Marko (ADITG/SW2)
Hi,
thanks to all for your fast feedback. I'll kick off an internal
discussion based on the facts you delivered to find out if our people
actually want what they want ;)
Filesystem W^X is a nice idea, but considering scripting or other (even
unintentional) Turing complete interpreters in a system, its not very strong protection. See also https://lwn.net/Articles/708196/

In my setup I have mounted /run with noexec, but /run/user/* still exec.
Then for each service you can enable systemd directive ProtectHome=true which makes /run/user inaccessible.

Likewise for /dev/shm, you can check if it is needed by each service at all and make it completely inaccessible if so, rather than making it globally noexec.

-Topi

_______________________________________________
systemd-devel mailing list
systemd-***@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Loading...