From systemd-devel Mon Dec 30 10:03:24 2019 From: Patrick Schleizer Date: Mon, 30 Dec 2019 10:03:24 +0000 To: systemd-devel Subject: [systemd-devel] systemd unit file to remount /home /tmp /dev/shm /run with nosuid, nodev Message-Id: X-MARC-Message: https://marc.info/?l=systemd-devel&m=157770061220668 Hello, a script to remount /home /tmp /dev/shm /run (configurable) with nosuid,nodev (+noexec configurable) has been created by me. The purpose of remounting is increasing the security of the system. The script shall run as early as reasonably possible during boot. The systemd unit file [1] and script [2] attached below in a simplified version or links to actual version. [3] [4] This is planned to be enabled by default in a Debian derivative Linux distribution. The issue with the systemd unit file is that it runs the script while other scripts are run and it seems like "mount -o nosuid,nodev --bind /tmp /tmp" is non-atomic. By that I mean, other scripts (run by other systemd unit files) that require /tmp are experiencing a split second or so where /tmp is non-writeable and therefore fail. Various race condition are possible and one was already experienced. How to solve that? Not using '/etc/fstab.d' because fstab '.d' folder does not exist yet. [5] Not using '/etc/fstab' because that is non-ideal for a derivative Debian Linux distribution. [6] a) The remount-secure.service unit file should run alone. Non-parallel. Until remount-secure.service is done, no other systemd unit files should be run. Is that possible with systemd? b) The remount-secure.service should add a reverse dependency to most other systemd unit files which is saying "After=remount-secure.service". Is that possible? c) Could the systemd unit file express "do this right after systemd is done with the usual file system mounting but still? Which service or target would that be? 'Before=local-fs.target' and 'After=systemd-remount-fs.service'? d) Or remount-secure.service should not exist and instead be a drop-in configuration file snippet '/lib/systemd/system/systemd-remount-fs.service.d/30_remount-secure.conf' using 'ExecStartPost=/usr/lib/security-misc/remount-secure'? e) Any other solution? Kind regards, Patrick [1] [Unit] Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) Documentation=https://github.com/Whonix/security-misc DefaultDependencies=no Before=sysinit.target Requires=local-fs.target After=local-fs.target After=qubes-sysinit.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/lib/security-misc/remount-secure [Install] WantedBy=sysinit.target [2] mount -o remount,nosuid,nodev /home mount -o remount,nosuid,nodev /run mount -o remount,nosuid,nodev /dev/shm mount -o nosuid,nodev --bind /tmp /tmp [3] https://github.com/Whonix/security-misc/blob/master/lib/systemd/system/remount-secure.service [4] https://github.com/Whonix/security-misc/blob/master/usr/lib/security-misc/remount-secure [5] https://github.com/systemd/systemd/issues/12506 [6] Confusing question for users who upgrade or make changes to the file. (dpkg interactive conflict resolution dialog) _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel