[systemd-devel] [PATCH] Apply ProtectSystem to non-merged /usr directories
Simon McVittie
simon.mcvittie at collabora.co.uk
Tue Oct 21 11:59:48 PDT 2014
On 21/10/14 19:18, Lennart Poettering wrote:
> Well, on some distros lib64 is a symlink on others it isn't. Doesn't
> Debian have /lib/<arch> or so with /lib64 just a symlink to the right
> subdir?
My Debian laptop has /lib64 as a real directory, containing a
ld-linux-x86-64.so.2 symlink into /lib/<multiarch tuple>.
I suspect this might be partly because Debian packages containing other
files or symlinks in /lib64 have existed in the past (e.g. to support
biarch compilers), and if any of those packages have lingered, dpkg is
not going to be happy to replace a non-empty directory with a symlink.
Being able to mount something read-only over /lib64 and /lib also seems
necessary from the ProtectSystem point of view, if you want
ProtectSystem to be a security measure and not just a guard against
accidents, since those two strings are part of the portable ABI for
Linux binaries on various architectures[1]. If a service can overwrite
one of those symlinks with an attacker-chosen value, then it's game over
the next time a binary with the relevant PT_INTERP tag is executed.
It looks as though I was wrong about lib32 not being necessary, it's in
that list too (albeit only for mips and tilegx); so is /libx32.
S
[1] https://sourceware.org/glibc/wiki/ABIList
More information about the systemd-devel
mailing list