Re: [systemd-devel] UMask attribute in service file

2017-02-01 Thread Oliver Graute
On 31/01/17, Oliver Graute wrote: > Hello list, > > some further background: > > In my system there are different services started by systemd 225 (all > with UMask=027). Sometimes files are created with 666 sometimes with > 640 as I wish. > > ls -la > -rw-r-1 oliver oliver

Re: [systemd-devel] Any reason why /run and /dev/shm do not have MS_NOEXEC flags set?

2017-02-01 Thread Topi Miettinen
On 02/01/17 13:13, Hoyer, Marko (ADITG/SW2) wrote: > Hi, > > thanks to all for your fast feedback. I'll kick off an internal discussion > based on the facts you delivered to find out if our people actually want what > they want ;) Filesystem W^X is a nice idea, but considering scripting or

Re: [systemd-devel] Any reason why /run and /dev/shm do not have MS_NOEXEC flags set?

2017-02-01 Thread Hoyer, Marko (ADITG/SW2)
Hi, thanks to all for your fast feedback. I'll kick off an internal discussion based on the facts you delivered to find out if our people actually want what they want ;) Best regards Marko Hoyer Software Group II (ADITG/SW2) Tel. +49 5121 49 6948 -Original Message- From:

Re: [systemd-devel] Any reason why /run and /dev/shm do not have MS_NOEXEC flags set?

2017-02-01 Thread Reindl Harald
Am 01.02.2017 um 11:02 schrieb Hoyer, Marko (ADITG/SW2): a tiny question: - Is there any reason why the mount points /run and /dev/shm do not have MS_NOEXEC flags set? We like to remove execution capabilities from all volatile areas that are writeable to users for security reasons it's all

Re: [systemd-devel] Any reason why /run and /dev/shm do not have MS_NOEXEC flags set?

2017-02-01 Thread Lennart Poettering
On Wed, 01.02.17 11:19, Michael Biebl (mbi...@gmail.com) wrote: > 2017-02-01 11:02 GMT+01:00 Hoyer, Marko (ADITG/SW2) : > > - Is there any reason why the mount points /run and /dev/shm do not have > > MS_NOEXEC flags set? > > /run →

[systemd-devel] Any reason why /run and /dev/shm do not have MS_NOEXEC flags set?

2017-02-01 Thread Hoyer, Marko (ADITG/SW2)
Hello, a tiny question: - Is there any reason why the mount points /run and /dev/shm do not have MS_NOEXEC flags set? We like to remove execution capabilities from all volatile areas that are writeable to users for security reasons. Best regards Marko Hoyer

Re: [systemd-devel] Any reason why /run and /dev/shm do not have MS_NOEXEC flags set?

2017-02-01 Thread Michael Biebl
2017-02-01 11:02 GMT+01:00 Hoyer, Marko (ADITG/SW2) : > - Is there any reason why the mount points /run and /dev/shm do not have > MS_NOEXEC flags set? /run → https://www.freedesktop.org/wiki/Software/systemd/InitrdInterface/ the initrd can place executables in /run so it