From de38b46dd8ac75e5bc7c6c4b7623dffb9b74be7b Mon Sep 17 00:00:00 2001 From: Zygo Blaxell Date: Mon, 20 Jan 2025 00:15:38 -0500 Subject: [PATCH] scripts/beesd: harden the mount options * `nodev`: This reduces rename attack surface by preventing bees from opening any device file on the target filesystem. * `noexec`: This prevents access to the mount point from being leveraged to execute setuid binaries, or execute anything at all through the mount point. These options are not required because they duplicate features in the bees binary (assuming that the mount namespace remains private): * `noatime`: bees always opens every file with `O_NOATIME`, making this option redundant. * `nosymfollow`: bees uses `openat2` on kernels 5.6 and later with flags that prevent symlink attacks. `nosymfollow` was introduced in kernel 5.10, so every kernel that can do `nosymfollow` can already do `openat2`. Also, historically, `$BEESHOME` can be a relative path with symlinks in any path component except the last one, and `nosymfollow` doesn't allow that. Between `openat2` and `nodev`, all symlink attacks are prevented, and rename attacks cannot be used to force bees to open a device file. Signed-off-by: Zygo Blaxell --- scripts/beesd.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/beesd.in b/scripts/beesd.in index 8afeed4..b31d4c1 100755 --- a/scripts/beesd.in +++ b/scripts/beesd.in @@ -116,7 +116,7 @@ mkdir -p "$WORK_DIR" || exit 1 INFO "MOUNT DIR: $MNT_DIR" mkdir -p "$MNT_DIR" || exit 1 -mount --make-private -osubvolid=5 /dev/disk/by-uuid/$UUID "$MNT_DIR" || exit 1 +mount --make-private -osubvolid=5,nodev,noexec /dev/disk/by-uuid/$UUID "$MNT_DIR" || exit 1 if [ ! -d "$BEESHOME" ]; then INFO "Create subvol $BEESHOME for store bees data"