]> _ Git - web-application-firewall.git/commit
projects / web-application-firewall.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: cd7b90d) | patch
Remove conflicting NoExecPaths and ExecPaths settings
authormivirl <>
Fri, 14 Mar 2025 17:50:04 +0000 (17:50 +0000)
committermivirl <>
Fri, 14 Mar 2025 17:50:04 +0000 (17:50 +0000)
commita8d3aad82895104699e2b43b5faf0a28c5670a5f
treeb89c1d07fdb60eb84edc3127e6e893f8af212dcctree | snapshot
parentcd7b90d23f6e3a952f6871bd9efd0b318677c56acommit | diff
Remove conflicting NoExecPaths and ExecPaths settings

From testing, ExecPaths setting appears to override the
TemporaryFileSystem setting. When both NoExecPaths=/ and
TemporaryFileSystem=/ are used, the entire filesystem remains available
in the sandbox.

This might be a bug with systemd since it doesn't appear to be
documented (as of version 257).

This isn't much of an issue since NoExecPaths didn't add much in the
first place, since it's still possible to use any executable
interpreters to load non-executable files, and /lib/ld-linux.so.2 is an
interpreter that allows executing any ELF binaries, and must be marked
executable for any binary to run in the first place. So an attacker
could always work around it fairly easily.
services/waf_darkhttpd.service diff | blob | history
services/waf_haproxy.service diff | blob | history
services/waf_modsecurity.service diff | blob | history
Block or rate limit untrusted requests to a web application