[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

(re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security?

That doesn’t seem to work. I can’t get a shell in initramfs. Nothing happens.

1 Like

Could you try a “proper” initramfs shell instead please?

From https://manpages.debian.org/buster/initramfs-tools-core/initramfs-tools.7.en.html

Kernel parameter break=bottom might give a initramfs rescue shell which could be used for experimentation, i.e. manually running mount commands.

1 Like

That doesn’t work either. It just makes it hang during boot.

1 Like

Figured out how to get an initramfs shell from the GRUB command line:

root=(hd0,msdos1)
linux /boot/vmlinuz-4.19.0-11-amd64
initrd /boot/initrd.img-4.19.0-11-amd64
boot

Will investigate the remount-secure issue now.

1 Like

Remounting /run from initramfs definitely works.

grub> root=(hd0,msdos1)
grub> linux /boot/vmlinuz-4.19.0-11-amd64
grub> initrd /boot/initrd.img-4.19.0-11-amd64
grub> boot

(initramfs) echo "BOOT_IMAGE=/boot/vmlinuz-$(uname -r) root=/dev/vda1" > /cmdline-fake
(initramfs) mount -o bind /cmdline-fake /proc/cmdline
(initramfs) sh /scripts/functions
(initramfs) mount -o remount,nosuid,nodev,noexec /run
(initramfs) /init
(initramfs) exit

/tmp doesn’t seem to work however (probably being overwritten by systemd or something).

1 Like

Got them all:

grub> root=(hd0,msdos1)
grub> linux /boot/vmlinuz-4.19.0-11-amd64
grub> initrd /boot/initrd.img-4.19.0-11-amd64
grub> boot

(initramfs) echo "BOOT_IMAGE=/boot/vmlinuz-$(uname -r) root=/dev/vda1" > /cmdline-fake
(initramfs) mount -o bind /cmdline-fake /proc/cmdline
(initramfs) sh /scripts/functions
(initramfs) mount -o remount,nosuid,nodev,noexec /run
(initramfs) /init
(initramfs) chroot /root

root@(none) mount -o bind,nosuid,noexec,nodev /home /home
root@(none) mount -o bind,nosuid,noexec,nodev /tmp /tmp
root@(none) mkdir /dev/shm
root@(none) mount -t tmpfs -o nosuid,noexec,nodev /dev/shm /dev/shm
root@(none) exit

(initramfs) exit
2 Likes

Just coming to mind now. /etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs is using a proper initramfs header.

PREREQ=""
prereqs()
{
        echo "$PREREQ"
}
case $1 in
prereqs)
        prereqs
        exit 0
        ;;
esac

remount-secure did not do that yet. Likely that is also a source of issues.

1 Like

I tried that too and it didn’t seem to change anything.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]