Re: [systemd-devel] Any reason why /run and /dev/shm do not have MS_NOEXEC flags set?

2017-02-01 Thread Topi Miettinen
On 02/01/17 13:13, Hoyer, Marko (ADITG/SW2) wrote:
> Hi,
> 
> thanks to all for your fast feedback. I'll kick off an internal discussion 
> based on the facts you delivered to find out if our people actually want what 
> they want ;)

Filesystem W^X is a nice idea, but considering scripting or other (even
unintentional) Turing complete interpreters in a system, its not very
strong protection. See also
https://lwn.net/Articles/708196/

In my setup I have mounted /run with noexec, but /run/user/* still exec.
Then for each service you can enable systemd directive ProtectHome=true
which makes /run/user inaccessible.

Likewise for /dev/shm, you can check if it is needed by each service at
all and make it completely inaccessible if so, rather than making it
globally noexec.

-Topi

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel


Re: [systemd-devel] Any reason why /run and /dev/shm do not have MS_NOEXEC flags set?

2017-02-01 Thread Hoyer, Marko (ADITG/SW2)
Hi,

thanks to all for your fast feedback. I'll kick off an internal discussion 
based on the facts you delivered to find out if our people actually want what 
they want ;)

Best regards

Marko Hoyer
Software Group II (ADITG/SW2)

Tel. +49 5121 49 6948
-Original Message-
From: systemd-devel [mailto:systemd-devel-boun...@lists.freedesktop.org] On 
Behalf Of Reindl Harald
Sent: Mittwoch, 1. Februar 2017 11:55
To: systemd-devel@lists.freedesktop.org
Subject: Re: [systemd-devel] Any reason why /run and /dev/shm do not have 
MS_NOEXEC flags set?



Am 01.02.2017 um 11:02 schrieb Hoyer, Marko (ADITG/SW2):
> a tiny question:
>
> - Is there any reason why the mount points /run and /dev/shm do not 
> have MS_NOEXEC flags set?
>
> We like to remove execution capabilities from all volatile areas that 
> are writeable to users for security reasons

it's all not that easy - see
https://bugzilla.redhat.com/show_bug.cgi?id=1398474 and
https://bugs.exim.org/show_bug.cgi?id=1749 and i am pretty sure other pieces 
would break on case of noexec SHM (yes i know that these bugreports are not 
about SHM, they are just a example)


___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel


Re: [systemd-devel] Any reason why /run and /dev/shm do not have MS_NOEXEC flags set?

2017-02-01 Thread Reindl Harald



Am 01.02.2017 um 11:02 schrieb Hoyer, Marko (ADITG/SW2):

a tiny question:

- Is there any reason why the mount points /run and /dev/shm do not have
MS_NOEXEC flags set?

We like to remove execution capabilities from all volatile areas that
are writeable to users for security reasons


it's all not that easy - see 
https://bugzilla.redhat.com/show_bug.cgi?id=1398474 and 
https://bugs.exim.org/show_bug.cgi?id=1749 and i am pretty sure other 
pieces would break on case of noexec SHM (yes i know that these 
bugreports are not about SHM, they are just a example)



___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel


Re: [systemd-devel] Any reason why /run and /dev/shm do not have MS_NOEXEC flags set?

2017-02-01 Thread Lennart Poettering
On Wed, 01.02.17 11:19, Michael Biebl (mbi...@gmail.com) wrote:

> 2017-02-01 11:02 GMT+01:00 Hoyer, Marko (ADITG/SW2) :
> > - Is there any reason why the mount points /run and /dev/shm do not have
> > MS_NOEXEC flags set?
> 
> /run → https://www.freedesktop.org/wiki/Software/systemd/InitrdInterface/
> 
> the initrd can place executables in /run so it can cleanly
> disasssemble the / file system
> 
> /dev/shm → the mount options have been like this for basically
> forever. I assume changing that has the potential to break existing
> software

Also, some software uses these locations to place memory mapped files
with PROT_EXEC set, which setting MS_NOEXEC prohibits too.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel


Re: [systemd-devel] Any reason why /run and /dev/shm do not have MS_NOEXEC flags set?

2017-02-01 Thread Michael Biebl
2017-02-01 11:02 GMT+01:00 Hoyer, Marko (ADITG/SW2) :
> - Is there any reason why the mount points /run and /dev/shm do not have
> MS_NOEXEC flags set?

/run → https://www.freedesktop.org/wiki/Software/systemd/InitrdInterface/

the initrd can place executables in /run so it can cleanly
disasssemble the / file system

/dev/shm → the mount options have been like this for basically
forever. I assume changing that has the potential to break existing
software


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel