On 02/01/17 13:13, Hoyer, Marko (ADITG/SW2) wrote: > Hi, > > thanks to all for your fast feedback. I'll kick off an internal discussion > based on the facts you delivered to find out if our people actually want what > they want ;)
Filesystem W^X is a nice idea, but considering scripting or other (even unintentional) Turing complete interpreters in a system, its not very strong protection. See also https://lwn.net/Articles/708196/ In my setup I have mounted /run with noexec, but /run/user/* still exec. Then for each service you can enable systemd directive ProtectHome=true which makes /run/user inaccessible. Likewise for /dev/shm, you can check if it is needed by each service at all and make it completely inaccessible if so, rather than making it globally noexec. -Topi _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel