Hi, I asked the original question, and tbh, I'm only just following along (I haven't really spent much time looking at initramfs/systemd).
I'm just wondering, is this something that's likely to be changed for the AWS servers? Or should I use the suggestions from Andrew Lowther[1] on how I could modify the "/usr/share/initramfs-tools/init" and run update-initramfs... or disable "/etc/default/grub.d/40-force-partuuid.cfg", and run update- grub? If so, I'm not sure what the risks are (e.g. I'd rather have a server that can boot; and I assume "initramfs-tools" could get an update in the future that replaces the modified "init" script, so the noexec would be lost again?). Previously[2] this kind of thing was seen as a "High" severity problem by Tenable (I'm not sure why). In my case, I'd simply like to make sure the "www-data" user (used by Apache/PHP) can only write to folders that are on noexec partitions (the idea being "defence in depth", not perfect, just if anyone using the website was somehow able to write arbitrary files to disk, then they cannot be executed normally, while accepting that shell and other scripts can still be executed). [1] https://askubuntu.com/a/1432445/924107 [2] https://www.tenable.com/plugins/nessus/73180 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1991661 Title: systemd mounts /run without noexec Status in initramfs-tools package in Ubuntu: Invalid Status in systemd package in Ubuntu: Triaged Bug description: initramfs-tools in Bionic+, when mounting the filesystem, mounts /run with noexec Cloud images run without initramfs and rely on systemd for the mounts. systemd, however, mounts /run without noexec. Snip from mount-setup.c (either in src/core/mount-setup.c < 248 or src/shared/mount-setup.c in >= 248 ) ``` #if ENABLE_SMACK { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME, mac_smack_use, MNT_FATAL }, #endif { "tmpfs", "/run", "tmpfs", "mode=755" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME, NULL, MNT_FATAL|MNT_IN_CONTAINER }, ``` Originally raised in an askubuntu forum: https://askubuntu.com/questions/1432383/mounting-run-as-noexec/1433208 CPC hasn't received word from any partners yet, but it does constitute a possible regression from how the system was mounted in Bionic and Focal before moving to optimized boots in 2020/2021. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1991661/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
