Ubuntu
systemd package

systemd mounts /run without noexec

Bug #1991661 reported by John Chittum
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
initramfs-tools (Ubuntu)
Invalid
Undecided
Unassigned
systemd (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

initramfs-tools in Bionic+, when mounting the filesystem, mounts /run with noexec

Cloud images run without initramfs and rely on systemd for the mounts. systemd, however, mounts /run without noexec. Snip from mount-setup.c (either in src/core/mount-setup.c < 248 or src/shared/mount-setup.c in >= 248 )

```
#if ENABLE_SMACK
        { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
          mac_smack_use, MNT_FATAL },
#endif
        { "tmpfs", "/run", "tmpfs", "mode=755" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
          NULL, MNT_FATAL|MNT_IN_CONTAINER },
```

Originally raised in an askubuntu forum:
https://askubuntu.com/questions/1432383/mounting-run-as-noexec/1433208

CPC hasn't received word from any partners yet, but it does constitute a possible regression from how the system was mounted in Bionic and Focal before moving to optimized boots in 2020/2021.

Revision history for this message
Steve Langasek (vorlon) wrote :

The initramfs-tools behavior is longstanding and deliberate; the systemd behavior is the buggy deviation.

Changed in initramfs-tools (Ubuntu):
status: New → Invalid
Changed in systemd (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
tags: added: foundations-todo
Revision history for this message
Nick Rosbrook (enr0n) wrote :

I think one problem with changing this in systemd is that generators are allowed to be placed in /run [1]. While mounting /run noexec would not affect interpreted generators like bash scripts, it would prevent binary executable generators from being placed in /run.

If we find it necessary, we could carry a delta for this in Ubuntu, but I am not sure this is a change upstream will accept.

[1] https://www.freedesktop.org/software/systemd/man/systemd.generator.html

Revision history for this message
Craig Francis (craig.francis) wrote :

Hi, I asked the original question, and tbh, I'm only just following along (I haven't really spent much time looking at initramfs/systemd).

I'm just wondering, is this something that's likely to be changed for the AWS servers?

Or should I use the suggestions from Andrew Lowther[1] on how I could modify the "/usr/share/initramfs-tools/init" and run update-initramfs... or disable "/etc/default/grub.d/40-force-partuuid.cfg", and run update-grub?

If so, I'm not sure what the risks are (e.g. I'd rather have a server that can boot; and I assume "initramfs-tools" could get an update in the future that replaces the modified "init" script, so the noexec would be lost again?).

Previously[2] this kind of thing was seen as a "High" severity problem by Tenable (I'm not sure why).

In my case, I'd simply like to make sure the "www-data" user (used by Apache/PHP) can only write to folders that are on noexec partitions (the idea being "defence in depth", not perfect, just if anyone using the website was somehow able to write arbitrary files to disk, then they cannot be executed normally, while accepting that shell and other scripts can still be executed).

[1] https://askubuntu.com/a/1432445/924107
[2] https://www.tenable.com/plugins/nessus/73180

Nick Rosbrook (enr0n)
tags: removed: foundations-todo
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.