On 02/01/17 13:13, Hoyer, Marko (ADITG/SW2) wrote:
> Hi,
> thanks to all for your fast feedback. I'll kick off an internal discussion 
> based on the facts you delivered to find out if our people actually want what 
> they want ;)

Filesystem W^X is a nice idea, but considering scripting or other (even
unintentional) Turing complete interpreters in a system, its not very
strong protection. See also

In my setup I have mounted /run with noexec, but /run/user/* still exec.
Then for each service you can enable systemd directive ProtectHome=true
which makes /run/user inaccessible.

Likewise for /dev/shm, you can check if it is needed by each service at
all and make it completely inaccessible if so, rather than making it
globally noexec.


systemd-devel mailing list

Reply via email to