(re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security?

Patrick · August 27, 2019, 6:18pm

Patrick · August 28, 2019, 7:09am

There is --bind and --rbind. Looks like what we want is --rbind?

Need to make sure that the original mount is no longer accessible. For example if we mount /tmp on top of /tmp with more secure mount options, then the original /tmp must no longer be accessible. Is that the case or some trick how a non-root user could still access the original /tmp?

madaidan · August 28, 2019, 3:41pm

Yes, that sounds like a good idea.

Not that I know of.

It would probably be unneeded complexity. I doubt most users would want to change the mount options.

I don’t think there’s any way to do that with just mount. We could grep the output of mount and if it isn’t there, leave out remount.

I don’t think there would be a big difference.

It should be the case. I don’t know of any way to access the original /tmp.

Patrick_mobile · September 7, 2019, 12:32am

https://chromium.googlesource.com/chromiumos/docs/+/master/security/noexec_shell_scripts.md

mount /home -o remount,nodev,nosuid,noexec

Patrick · September 7, 2019, 2:25am

github.com/QubesOS/qubes-issues

Mount /rw and /home with nosuid + nodev

opened 02:20PM - 21 Aug 19 UTC

tasket

T: enhancement C: templates security P: default

**The problem you're addressing (if any)** When a template has been configured …to enforce internal user permissions, malware that gains a temporarily useful privilege escalation may continue as root user indefinitely in AppVMs by setting up executables in /home that have +s SUID bit set. The effect is that an OS patch for the initial vulnerability will not de-privilege malware that exploited it. Similarly, the ability to create device node files in /home can permit privilege escalation, and such nodes normally don't belong in /home. **Describe the solution you'd like** Change the /rw and /home entries in /etc/fstab to use the `nosuid` and `nodev` options. This works even with bind mounts. **Where is the value to a user, and who might that user be?** Users who do not want malware to persist indefinitely or easily gain root privileges may remove the 'qubes-core-agent-passwordless-root' package, or reconfigure templates according to the 'vm-sudo' doc or Qubes-VM-hardening. Mounting /rw and /home with `nosuid` + `nodev` bolsters security in such template configurations by giving OS security patches a chance to de-privilege malware. **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** https://www.qubes-os.org/doc/vm-sudo/ https://github.com/tasket/Qubes-VM-hardening

github.com/tasket/Qubes-VM-hardening

Disable suid in /rw

opened 02:25PM - 21 Aug 19 UTC

closed 04:36PM - 02 Sep 19 UTC

tasket

When a template has been configured to enforce internal user permissions, malwar…e that gains a temporarily useful privilege escalation may continue as root user indefinitely in AppVMs by setting up executables in /home that have +s SUID bit set. The effect is that an OS patch for the initial vulnerability will not de-privilege malware that exploited it. Possible solutions: 1. Have the installer change the /rw and /home entries in /etc/fstab to use the 'nosuid' option. 2. Upstream Qubes issue to reconfigure fstab: https://github.com/QubesOS/qubes-issues/issues/5263 @adrelanos

https://www.cyberciti.biz/faq/howto-mount-tmp-as-separate-filesystem-with-noexec-nosuid-nodev/

https://secscan.acron.pl/centos7/1/1/17

Patrick · September 19, 2019, 2:36pm

github.com/QubesOS/qubes-issues

mount /tmp /var/tmp /dev/shm with nodev nosuid

opened 11:29AM - 18 Sep 19 UTC

adrelanos

T: enhancement C: templates security P: default

These folders * /tmp * /var/tmp * /dev/shm are user writable. Similar… to * https://github.com/QubesOS/qubes-issues/issues/5263 * https://github.com/tasket/Qubes-VM-hardening/issues/41 [Quote](https://github.com/QubesOS/qubes-issues/issues/2695#issuecomment-301316132) Joanna (founder of Qubes OS): > I've been recently talking about this with Solar Designer of Openwall (a person who probably knows more about Linux security model than most of us together) [Quote](https://github.com/QubesOS/qubes-issues/issues/2695#issuecomment-301320361 ) solar: > Ideally, there should be no SUID binaries reachable from the user account, as otherwise significant extra attack surface inside the VM is exposed (dynamic linker, libc startup, portions of Linux kernel including ELF loader, etc.) Therefore I concluded: SUID has to go away. At least user (speak: possibly malware) created SUID should be prevented form being easily executed. [Getting rid of SUID binaries which are installed by default is worthwhile too but less trivial.](https://forums.whonix.org/t/disable-suid-binaries/7706) Therefore out of scope for this ticket.

madaidan · September 24, 2019, 9:22pm

Patrick · December 5, 2019, 3:08pm

ticket: lock down interpreters (interpreter lock)

Patrick · December 6, 2019, 10:14am

Patrick · December 6, 2019, 4:37pm

Fixes (noexec) and enhancements in git master and developers repository.

Patrick · December 17, 2019, 8:37am

madaidan · December 19, 2019, 6:18pm

https://seifried.org/lasg/installation/

The “Filesystem layout and structuring” section has a table on which directories to use restrictive mount options on.

Patrick · December 20, 2019, 10:17am

Quote Kernel Hardening - security-misc - #328 by Patrick

Patrick · December 20, 2019, 10:27am

Patrick · December 21, 2019, 10:29am

I’ve refactored /usr/lib/security-misc/remount-secure. Should now be quite easy to add new remounts.

https://github.com/Whonix/security-misc/blob/master/usr/lib/security-misc/remount-secure#L83-L113

Patrick · December 21, 2019, 7:05pm

This is causing many issues.

user@debian-buster-test:~$ sudo iptables --list
iptables/1.8.2 Failed to initialize nft: Protocol not supported

lsmod shows that fewer modules are load. And module auto loading is broken. This breaks Whonix firewall. Will therefore disable remounting /lib with nosuid,nodev. But no security reduction. There are no devices and no suid in /lib anyhow. And permission hardening was speed up so that parsing /lib in permission hardening is ok.

Linux Kernel Runtime Guard (LKRG) - Linux Kernel Runtime Integrity Checking and Exploit Detection - #16 by Patrick can also cause iptables/1.8.2 Failed to initialize nft: Protocol not supported

Patrick · December 29, 2019, 9:54am

These two things must not run together.

Dec 29 04:17:12 debian-buster-test remount-secure[410]: mount -o nosuid,nodev --bind /tmp /tmp

Dec 29 04:17:12 debian-buster-test permission-hardening[413]: /usr/lib/security-misc/permission-hardening: line 255: cannot create temp file for here-document: No such file or directory
Dec 29 04:17:12 debian-buster-test permission-hardening[413]: ERROR: cannot parse line: /usr/bin/sudo exactwhitelist

Can cause issues such as this:

How can a systemd unit alone without any others being executed at the very same time?

Patrick · December 30, 2019, 11:25am

This needs a revision.

systemd unit file to remount /home /tmp /dev/shm /run with nosuid,nodev

[systemd-devel] systemd unit file to remount /home /tmp /dev/shm /run with nosuid, nodev
[systemd-devel] systemd unit file to remount /home /tmp /dev/shm /run with nosuid, nodev

madaidan · March 7, 2020, 4:56pm

/run/user/1000 bypasses /run’s noexec as it is its own mount point. We might want to look into restricting that too.

It could be useful to mount /dev with noexec.

We should experiment with the ro mount option to mount directories as read-only. /sys would be a good one for this as most things don’t need to write to it.

More mount points we can restrict are:

mqueue on /dev/mqueue type mqueue (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)

CLIP OS’s fstab is here products_clipos/40_fstab.sh at master · clipos/products_clipos · GitHub

Patrick · March 7, 2020, 4:59pm

I can merge that but it won’t help much. The current implementation is a dead-end. It’s needs to be replaced entirely. See my previous post. There I link to my question, the bug description and reply by systemd.