[systemd-devel] Getting rid of the /run/credentials mount
Topi Miettinen
toiwoton at gmail.com
Thu Aug 25 20:37:12 UTC 2022
On 25.8.2022 22.42, Marc Haber wrote:
> Hi,
>
> the aide (https://github.com/aide/aide) tool builds checksums of files
> on the system and sends an alert if things change on the system. In the
> Debian package, this is done from cron. I would like to move that to a
> systemd timer and in passing use some of systemd's security features.
> Here is my service:
>
> [Unit]
> Description=dailyaide check
> StartLimitIntervalSec=7200
> StartLimitBurst=1
>
> [Service]
> Type=oneshot
> User=root
> Group=root
> Environment="CREDENTIALS_DIRECTORY=/nonexistent"
> ProtectSystem=strict
> ProtectClock=yes
> ProtectKernelModules=no
> ProtectKernelLogs=yes
> ProtectControlGroups=yes
> PrivateDevices=no
> ProtectKernelTunables=yes
> ProtectControlGroups=yes
> ProtectHome=read-only
> ReadWritePaths=/run/aide /var/lib/aide /var/log/aide /var/spool/exim4 /var/log/exim4 /var/tmp /tmp
> RestrictRealtime=yes
> RestrictSUIDSGID=yes
> PrivateTmp=no
> ExecStartPre-=/bin/umount /run/credentials
> ExecStart=/usr/local/sbin/dailyaidecheck --systemdservice
>
> You might see that I have tried some things to get rid of the mount of
> /run/credentials which allows an attacker to hide something in
> /run/credentials without aide being able to see it because it gets some
> temporary filesystem mounted over that path.
>
> Unfortunately, neither of those tricks have worked, and my
> /run/credentials/foo that I created before starting my service remains
> undetected.
>
> What do I do to disable the credentials mechanism in my service?
You could use TemporaryFileSystem=/run together with a few BindPaths=
for the required directories. For example, on my setup the user doesn't
see all cruft in global /run:
$ ls /run
dbus/ firejail/ systemd/ udev/ user/
See also
https://github.com/systemd/systemd/pull/21748
for some thoughts on tentative new directive PrivateRun= or something
similar.
-Topi
>
> Greetings
> Marc
>
>
More information about the systemd-devel
mailing list