[systemd-devel] Getting rid of the /run/credentials mount

[Topi Miettinen]

On 25.8.2022 22.42, Marc Haber wrote:
> Hi,
> 
> the aide (https://github.com/aide/aide) tool builds checksums of files
> on the system and sends an alert if things change on the system. In the
> Debian package, this is done from cron. I would like to move that to a
> systemd timer and in passing use some of systemd's security features.
> Here is my service:
> 
> [Unit]
> Description=dailyaide check
> StartLimitIntervalSec=7200
> StartLimitBurst=1
> 
> [Service]
> Type=oneshot
> User=root
> Group=root
> Environment="CREDENTIALS_DIRECTORY=/nonexistent"
> ProtectSystem=strict
> ProtectClock=yes
> ProtectKernelModules=no
> ProtectKernelLogs=yes
> ProtectControlGroups=yes
> PrivateDevices=no
> ProtectKernelTunables=yes
> ProtectControlGroups=yes
> ProtectHome=read-only
> ReadWritePaths=/run/aide /var/lib/aide /var/log/aide /var/spool/exim4 /var/log/exim4 /var/tmp /tmp
> RestrictRealtime=yes
> RestrictSUIDSGID=yes
> PrivateTmp=no
> ExecStartPre-=/bin/umount /run/credentials
> ExecStart=/usr/local/sbin/dailyaidecheck --systemdservice
> 
> You might see that I have tried some things to get rid of the mount of
> /run/credentials which allows an attacker to hide something in
> /run/credentials without aide being able to see it because it gets some
> temporary filesystem mounted over that path.
> 
> Unfortunately, neither of those tricks have worked, and my
> /run/credentials/foo that I created before starting my service remains
> undetected.
> 
> What do I do to disable the credentials mechanism in my service?

You could use TemporaryFileSystem=/run together with a few BindPaths= 
for the required directories. For example, on my setup the user doesn't 
see all cruft in global /run:
$ ls /run
dbus/  firejail/  systemd/  udev/  user/

See also
https://github.com/systemd/systemd/pull/21748
for some thoughts on tentative new directive PrivateRun= or something 
similar.

-Topi

> 
> Greetings
> Marc
> 
>