From a8d3aad82895104699e2b43b5faf0a28c5670a5f Mon Sep 17 00:00:00 2001 From: mivirl <> Date: Fri, 14 Mar 2025 17:50:04 +0000 Subject: [PATCH] Remove conflicting NoExecPaths and ExecPaths settings From testing, ExecPaths setting appears to override the TemporaryFileSystem setting. When both NoExecPaths=/ and TemporaryFileSystem=/ are used, the entire filesystem remains available in the sandbox. This might be a bug with systemd since it doesn't appear to be documented (as of version 257). This isn't much of an issue since NoExecPaths didn't add much in the first place, since it's still possible to use any executable interpreters to load non-executable files, and /lib/ld-linux.so.2 is an interpreter that allows executing any ELF binaries, and must be marked executable for any binary to run in the first place. So an attacker could always work around it fairly easily. --- services/waf_darkhttpd.service | 4 ---- services/waf_haproxy.service | 9 ++++----- services/waf_modsecurity.service | 4 ---- 3 files changed, 4 insertions(+), 13 deletions(-) diff --git a/services/waf_darkhttpd.service b/services/waf_darkhttpd.service index 62abb8c..2ff803d 100644 --- a/services/waf_darkhttpd.service +++ b/services/waf_darkhttpd.service @@ -37,10 +37,6 @@ BindReadOnlyPaths=/etc/resolv.conf BindReadOnlyPaths=/opt/waf_configs/darkhttpd/darkhttpd:/bin/darkhttpd BindReadOnlyPaths=/opt/waf_configs/darkhttpd/srv:/srv -# Only allow executing binaries in /bin -NoExecPaths=/ -ExecPaths=/bin - UMask=0077 ## User ------------------------------------------------------------------------ diff --git a/services/waf_haproxy.service b/services/waf_haproxy.service index f59ae9b..4825106 100644 --- a/services/waf_haproxy.service +++ b/services/waf_haproxy.service @@ -34,9 +34,12 @@ BindReadOnlyPaths=/lib /lib64 /usr/lib /usr/lib64 # Needed for reloading the service BindReadOnlyPaths=/bin/kill -## Needed to notify systemd of service status +# Needed to notify systemd of service status BindPaths=/run/systemd/notify +# Log output +BindPaths=/dev/log + # DNS BindReadOnlyPaths=/etc/resolv.conf @@ -52,10 +55,6 @@ BindReadOnlyPaths=/opt/waf_configs/haproxy/ip_allow.map:/etc/haproxy/ip_allow.ma BindReadOnlyPaths=-/opt/waf_configs/haproxy/server.pem:/etc/haproxy/server.pem BindReadOnlyPaths=/opt/waf_configs/haproxy/spoe-modsecurity.conf:/etc/haproxy/spoe-modsecurity.conf -# Only allow executing binaries in /bin -NoExecPaths=/ -ExecPaths=/bin - UMask=0077 ## User ------------------------------------------------------------------------ diff --git a/services/waf_modsecurity.service b/services/waf_modsecurity.service index 88771f4..4acdd78 100644 --- a/services/waf_modsecurity.service +++ b/services/waf_modsecurity.service @@ -43,10 +43,6 @@ BindReadOnlyPaths=/opt/waf_configs/modsecurity/unicode.mapping:/etc/modsecurity/ # Log files BindPaths=/opt/waf_configs/modsecurity/audit.log:/var/log/modsec_audit.log -# Only allow executing binaries in /bin -NoExecPaths=/ -ExecPaths=/bin - UMask=0077 ## User ------------------------------------------------------------------------ -- 2.39.5