[Bug 1991661] Re: systemd mounts /run without noexec

Wed Oct 5 14:26:35 UTC 2022

Hi, I asked the original question, and tbh, I'm only just following
along (I haven't really spent much time looking at initramfs/systemd).

I'm just wondering, is this something that's likely to be changed for
the AWS servers?

Or should I use the suggestions from Andrew Lowther[1] on how I could
modify the "/usr/share/initramfs-tools/init" and run update-initramfs...
or disable "/etc/default/grub.d/40-force-partuuid.cfg", and run update-
grub?

If so, I'm not sure what the risks are (e.g. I'd rather have a server
that can boot; and I assume "initramfs-tools" could get an update in the
future that replaces the modified "init" script, so the noexec would be
lost again?).

Previously[2] this kind of thing was seen as a "High" severity problem
by Tenable (I'm not sure why).

In my case, I'd simply like to make sure the "www-data" user (used by
Apache/PHP) can only write to folders that are on noexec partitions (the
idea being "defence in depth", not perfect, just if anyone using the
website was somehow able to write arbitrary files to disk, then they
cannot be executed normally, while accepting that shell and other
scripts can still be executed).

[1] https://askubuntu.com/a/1432445/924107
[2] https://www.tenable.com/plugins/nessus/73180

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1991661

Title:
  systemd mounts /run without noexec

Status in initramfs-tools package in Ubuntu:
  Invalid
Status in systemd package in Ubuntu:
  Triaged

Bug description:
  initramfs-tools in Bionic+, when mounting the filesystem, mounts /run
  with noexec

  Cloud images run without initramfs and rely on systemd for the mounts.
  systemd, however, mounts /run without noexec. Snip from mount-setup.c
  (either in src/core/mount-setup.c < 248 or src/shared/mount-setup.c in
  >= 248 )

  ```
  #if ENABLE_SMACK
          { "tmpfs",       "/run",                      "tmpfs",      "mode=755,smackfsroot=*" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
            mac_smack_use, MNT_FATAL                  },
  #endif
          { "tmpfs",       "/run",                      "tmpfs",      "mode=755" TMPFS_LIMITS_RUN,               MS_NOSUID|MS_NODEV|MS_STRICTATIME,
            NULL,          MNT_FATAL|MNT_IN_CONTAINER },
  ```

  Originally raised in an askubuntu forum: 
  https://askubuntu.com/questions/1432383/mounting-run-as-noexec/1433208

  CPC hasn't received word from any partners yet, but it does constitute
  a possible regression from how the system was mounted in Bionic and
  Focal before moving to optimized boots in 2020/2021.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1991661/+subscriptions