New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure Remounting #128
Comments
Editing /etc/fstab manually as system administrator is fine. Editing /etc/fstab with a package, as a Linux distribution is quite harder. If we'd ship /etc/fstab in a package that would make user modifications hard. [1] And that's also not an option because... If the /etc/fstab is already owned by another package (such as There is no See here for more details and discussion: [1]
|
I have read the documentation and I think we might have a better workaround. Upon installing kicksecure we already make several assumptions like a user named user being a sudoer and so on. If it is acceptable to make the assumption that there are only real disk partitions for /boot /root and /home and nothing else, especially not for /tmp and /var, I can write a fstab file for remounting and binding everything with hardened options. This 'fstab' does not have to be the real fstab. We can use any arbitrary path and specify it to mount with --fstab. So we write a new fstab in any location we want. Then we run upon booting to the system "mount --fstab /our/path/fstab -a". This will remount and bind everything. I can create a pull with the said implementation. Would this be a viable option? |
security-misc is part of Kicksecure but ideally it will stay a clean design and won't turn into requiring Kicksecure.
Please describe some other scenarios. security-misc, Kicksecure is intended to be as functional as Debian. It is designed to be generic, should installable on arbitrary end user or servers.
Please suggest as this could be interesting but I cannot promise this will be the chosen implementation.
Interesting.
This is the critical point. "Upon booting". How? The systemd unit file approach wasn't viable. Lead to race conditions, weird bugs. If "upon booting" was sorted out the this feature would probably in production years ago already. Note, that it won't help a lot to wait until booting succeeded and only then start using more secure mount options. For effective protection, the remounting to more secure mount options needs to be done during a time where only more trusted code is running. Once the system booted and less trusted code is running such as when user This is because to prevent for example malicious code to be executed from /run, /home, etc. it needs to be done before lets say any malicious code has any chance to execute something in /home. Therefore switching to more secure mount options is crucial to be done at the right time. The earliest time would be from initramfs after the "normal" mount has been done. A later but still secure time might be something that current systemd unit is attempting.
|
I have successfully tested, for example, a solution like this: Create a hardened fstab: Echo the following content
When we run If there is a partition for /var -> use remount for var And you are right, I imagined we would do this after having booted to the system. This would obviously not be the optimal solution. Optimally we would append these lines to the good old fstab we know with a script, and remove them upon uninstall. I don't know if that would be possible tho. So if it is still more desirable to use a system service, it might as well be a one-liner and use the hardened_fstab as its pseudo config file. As it seems /run is hardened as is by default on bookworm, we need no antry for it. I also choose to bind /var/tmp to /tmp and mount them with tmpfs. This mounts the tmp system to ram, and would assure no persistance in /tmp and also sanitize the data on reboot. So a /tmp that is not on disk as a partition is definetely more desirable, but we can just use remount with ext4 to /tmp if it is already on disk as a partition. Would this be of interest? |
I don't think this would be compatible if using file systems other than ext4? On Qubes in a Debian based App Qube:
This is Qubes fstab: Without resolving "how" to start this, it wouldn't be very secure anyhow. As we speak I am working on a dracut module which would resolve the "how" part. Could you please review, contribute to https://github.com/Kicksecure/security-misc/blob/master/usr/bin/remount-secure so it handles all the mount points and corner cases? |
A dracut module was added: Not yet tested. |
I forked the repo for modifications on remount-secure. I could not manage to fix the pipe broken bug in the old version, which prevented me from the lynis recommended mount options to other directories. I did a somewhat reimplementation. It works, almost completely tested. Can definetely be cleaned and shortened, and more comments can be added where fit. This checks if the system has seperate partitions for these directories on disk and if that is the case we do a simple bind. Else we remount the partition. If it is already hardened, we don't touch it. |
I think I might have deleted some of the important options, which may be necessary. To me they seemed not necessary, at least not anymore, with the new implementation, but I might be wrong if they were meant to serve some other purpose that I do not know. |
The new dracut module based implementation is very promising. It works except for /home because apparently by the time the hook runs, there is no /home folder yet. Investigating... It's in git master (and in the developers repository).
I cannot reproduce this anymore in the current version.
I don't understand. |
Even though using the dracut |
I didn't create a pull for my fork. I was talking about how I did the implementation in my fork.
I have a slight different implementation. It certainly works when booted after and it checks and mounts everything that CISOfy recommends. They also recommend to bind /var/tmp to /tmp and to mount these to tmpfs. This was not possible to do with the old implementation where all functions called a remount_secure function with parameters. So the implementation differs there. But it does all these if the partitioning on system is available. So if there is a /tmp or /var/tmp partition, we do not do this but just remount them with hardened options. We also do not touch anything if a directory is already hardened. So all checks are done and the mounting applies accordingly. But unfortunately I did not try this with the hook. So I do not know if it would work. I can also port the recommended options for all directories to the old implementation but then we would miss out on tmpfs for tmp and /var/tmp and /tmp binding. And also I think the old implementation runs regardless if the directory/partition was already hardened, so that might also be a problem. |
Also /run is mounted with the hardening options by default on bookworm. So unless the user explicitly remounted it with weaker options, a check for this might be unnecessary. Making a noexec on /tmp causes no issues whatsoever in my observation. It is also recommended. It has been a cause for numerous vulnurabilities. So making this opt-in is not optimal. Noexec on /home breaks applications like steam, pycharm and if installed with the tarball, the tor browser. It also software makes development impossible. And it is also not on the recommended list of CISOfy. So this might be better left alone. The other CISOfy recommended mounts that are not yet present in the current version also do not break anything. So porting them with either of the imlementations would be a net positive, which I can do. |
Pretty sure the new implementation is the way to go because it cleanly, robustly applies mounting options hardening as early as possible? It seems more robust and secure. The The latter is very useful for development, debugging. Due to the dracut Configuration is currently possible using kernel parameters: Which for now are rather simple:
Something more sophisticated would be in theory:
But not sure that's worth it. I think a reasonable development goal is to:
If a system administrator is setting up more complex mounts using I am not sure yet about remounting to |
Does not have noexec for me by default. |
It might break a few things such as some installers. Not a reason to not set noexec. In other words, no exec can be set. But something to document.
Please add these applications to the wiki. Useful for users to decide who can enable this (in what VMs) and who cannot.
Right. I am wondering about the proper defaults here. Perhaps even /home with noexec by default. But only after this is stable (will request some opt-in testing period) and of course only if it is documented how to disable any noexec. This would be opt-out by default for Whonix because of Tor Browser, unless another solution could be found. But this can be considered later. Potentially in other tickets. Highest priority in this ticket is fixing remounting /home. |
What is the reason for using noexec_maybe on every function. except /home, we know no breakage will occur. So for others, noexec should be used directly. Should I create a request? |
Also why is /dev function commented out? Does it cause breakage or error of some kind? |
In development. I currently broke the boot. Dunno which one is hardened too much that it breaks the boot. But also the option to disable this on kernel command line is broken too... So one step at a time. |
Code complexity. Too many options. Getting confusing. Also all of this needs to be documented. What's the point if lets say /tmp is noexec but /home is not? noexec seems to make sense only in a context where it is used everywhere. If the major open door /home doesn't use noexec then it doesn't seem to make sense. So maybe 3 different modes make sense...?
? |
New issue. As soon as I enable the
I hope I haven't reached another dead-end here implementation wise. |
A lot of security vulnurabilities are from /tmp and can be mostly prevented by giving noexec to tmp. This applies to log files as well. Because most anyone can create log and tmp files or make programs do it. But creating files on /home is probably more difficult. So noexec should be used on /tmp /dev/shm /dev/log /dev/log/audit and /dev/tmp for better vulnurability protection. I also created a pull with these commented out completely, for testing. There is also one for /usr which would ensure that apt is the only one who can modify binaries and libraries. |
Could it be related to this issue? dracutdevs/dracut#481 |
Some need to use NEWROOT and some don't. |
Doesn't |
Makes sense. So we need at least 4 settings...?
Just using numbers for the kernel parameter or other name suggestions?
Ok.
For this one please open a separate forum discussion (preferably) or ticket. |
I think so. This is for systems where /var/log and /var/log/audit are located on seperate and dedicated disk partitions. This seems to be a very common practice in servers. I doubt it is as common on desktops since it auditing is not of big importance. So we may choose to pass this one, assuming this package targets desktops and this is probably only common practice on servers. |
Very interesting. They don't seem to follow any pattern that I can see. Surely there is an explanation but not anything I can see. |
this might be desirable. pretty much everything other than /dev should be mounted with nodev. since no device should be expected anywhere else. this has been used for exploits (my understanding, mostly on /tmp and logging stuff). noexec is also very effective at avoiding undiscovered exploits. noexecing the home is also desirable but breaking users applications is not something we want. a lot of non-deb third party software install on home. |
This works really good for now... It certainly needs testing and probably unit testing with systemcheck. All the folders needing protection need to be tested with a script if really the options intended are set or not.
I don't know yet what
is about and if that matters. |
This is a debian thing. Lynis expects the defaults on root as option. Debian has errors=remount-ro as well. This is for, if there is an error, remount as read-only. I do not know what this is for either. Editing /etc/fstab and replacing errors=remount-ro with defaults makes lynis say OK in green. I don't think it is a big deal. This is very good news by the way. |
By looking at lynis source code it seems to be it looks at /etc/fstab looking for
Unless lynis has a real argument I think this has to be ignored. |
These layered mounts aren't pretty but I don't see a real issue or have a solution.
As long as the mount options are effectively hardened (first line preceeding, mounted with noexec) then it's probably fine. |
I agree. There is no hardening option for /root anyway. It is just default or non default. And errors=remount-ro doesn't appear to do any harm. The layered mounts are inevitable if there are no seperate partitions on disk. I do not see any downside to this. |
Some failed unmount during shutdown. [FAILED] Failed unmounting var-log.mount. [ 1923.023754] (sd-remount)[43306]: Failed to remount '/var/log' read-only: Invalid argument
|
Debian packages being one thousand years behind the upstream does not seem to help our cause. Anyway. From the what you posted it seems like systemd-journald is still up when we are trying to unmount /var. It seems to be trying to log to /var whilst we are trying to unmount it. I found a similar thread here: https://unix.stackexchange.com/questions/378678/why-do-i-get-the-error-failed-unmounting-var-during-shutdown And an issue: systemd/systemd#867 If this really is the problem, then something like the following in journald would solve the issue:
If this is not the issue to begin with, then I would have to compare the order of thing to how they are when we use a regular fstab, to understand the cause. |
This issue is only introduced by the new code, remount. It does not happen without that.
Why is how it should be or not?
The shutdown sequence is all up to systemd. systemd-journald writing output to stdout / serial console is important, good, as long as it does not write to devices where are mounted read-only. Which is probably as it is as per upstream defaults? Messing with that could cause more problems that it solves.
Yes. Or compare with a newer Debian and systemd version. Check if reproducible there. Because then systemd upstream won't close the bug report for being an older systemd version. |
I think I found a solution. I am going to test and report the results. |
I managed to solve this and created a pull.
This I solved too, and created a pull. Both are fully tested. |
I am not convinced yet that #133 is a clean way to solve this.
It's simply ignored. Also we don't understand why this is happening. We cannot point at the project, code that is failing. We'd simply layer a hack on top of this mess to conceal it. There's no need to conceal it. It's not possible to even spot this issue without a (virtual) serial-console which very, very few people are using. Next proper steps to get closed and hopefully be able to report/fix this at the actual level it is happening:
|
You are absolutely right. This is more like a band-aid solution. For the record, I have done numerous tests and can say the following: |
Not being quite sure, restarting systemd-journald.service after we mount everything might solve the issue. My guess seems to be the explanation. Journald starting before the mounting is the problem. Will test this. |
New Issue: Not having the package dracut installed on the system breaks several systemd services loading during boot up even when secure remounting not enabled. Dracut has to be a dependency for the package. On a new debian VM I didn't get any warnings about dracut being needed or being a dependency. The package install perfectly then breaks stuff. When I install dracut, the breakage disappears. So solution is already identified. Dracut needs to be a dependency. |
And also addressing the original issue: I managed to identify the exact problem. |
Is it possible for you to write a shutdown hook? I think this can be achieved with dracut. Is it possible? |
To unmount the units in the appropriate order, mirroring the mount order. |
monsieuremre:
Is it possible for you to write a shutdown hook? I think this can be achieved with dracut. Is it possible?
The ordering what runs first during shtudown (systemd vs dracut exitrd
interaction) isn't well documented. There was a systemd-devel mailing
thread by me but parsing that and writing a coherent description is todo.
|
monsieuremre:
> Is it possible for you to write a shutdown hook?
I guess even a normal systemd unit would suffice. It's possible to have
ExecStart= (or unset) but only set ExecStop=. systemd must certainly
support some "do this at shutdown only" stuff.
Unmounting "our" mounts first before anything else should be possible
with the correct systemd dependencies.
|
monsieuremre:
New Issue: Not having the package dracut installed on the system breaks several systemd services loading during boot up even when secure remounting not enabled.
How's that possible?
Please report separately, perhaps report upstream if applicable.
Dracut has to be a dependency for the package.
I would want to avoid a hard dependency on dracut. Because simply
installing dracut can break the boot process.
dracutdevs/dracut#2437
Does it suffice to install dracut-core but not dracut? That would be a
nice middle ground. Ideally that would satisfy the dependency but not
cause other breakage.
|
By this I mean, dracut does not come preinstalled. And we use a dracut hook. I don't know how it would be possible to not depend on dracut. |
By this I mean, dracut does not come preinstalled. And we use a dracut hook. I don't know how it would be possible to not depend on dracut.
Only by re-implementing the same as an initramfs-tools hook which is
patches welcome.
dracut dependency would be ok if above bugfix of dracut gets merged for
Debian bookworm + 1.
|
There is interest for initramfs-tools to use dracut - https://salsa.debian.org/debian/dracut/-/merge_requests/27 |
It was the unmounting order as I suspected. I managed to found a fix that works like charm with no drawbacks. Already created a pull request. Review please. |
I found an even better solution with none of the problems. Pull request pending. |
Hoping to use the pull request solely for further discussions. |
Is there any particular reason to have a systemd service remount partitions rather than editing /etc/fstab accordingly? This seems cause extra complexity without any benefit that I could see of.
As a reference, the recommended options from the lynis documentation can be used. I have tested this and no application seems to break that a debian user would normally install, let alone any whonix default packages.
This can be achieved with a simple bind for those without literal partitions on disk. And for the literal partitions, a basic sed operation can be used on fstab. The old fstab can be backed up to be restored upon package removal.
So what would be the reason to use a service here? If this is not necessary, I can create a pull request for modifying the fstab. If there is a reason that I do not know of, the same recommended options can be adapted by the service, I assume.
The text was updated successfully, but these errors were encountered: