11:18 a.m.
How are these processes started and can they have a systemd-dropin like
"display-manager.service.d" and where does it need to be placed?
kuiserver5 seems to miss -D_FORTIFY_SOURCE=2 BTW
[root@srv-rhsoft:~]$ cat
/etc/systemd/system/display-manager.service.d/security.conf
[Service]
ReadOnlyDirectories=/boot
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadWriteDirectories=-/etc/vmware
ReadWriteDirectories=-/usr/local/Zend
SystemCallFilter=~@clock @cpu-emulation @reboot @swap
[root@srv-rhsoft:~]$ checksec --proc-all | grep "No Seccomp" |grep -v
vmware | grep -v "sd\-pam" | grep -v crond | grep -v sshd | grep -v
systemd | grep -v "grep " | grep -v bash
dbus-daemon 7816 Full RELRO Canary found No
Seccomp NX enabled PIE enabled Yes
kglobalaccel5 7908 Full RELRO Canary found No
Seccomp NX enabled PIE enabled Yes
dconf-service 7916 Full RELRO Canary found No
Seccomp NX enabled PIE enabled Yes
kactivitymanage 7998 Full RELRO Canary found No
Seccomp NX enabled PIE enabled Yes
gvfsd 8007 Full RELRO Canary found No
Seccomp NX enabled PIE enabled Yes
kuiserver5 8061 Full RELRO No canary found No
Seccomp NX enabled PIE enabled No
[root@srv-rhsoft:~]$ checksec --proc-all | grep dbus
dbus-daemon 7816 Full RELRO Canary found No
Seccomp NX enabled PIE enabled Yes
dbus-daemon 962 Full RELRO Canary found
Seccomp-bpf NX enabled PIE enabled Yes
[root@srv-rhsoft:~]$ ps aux | grep 7816
harry 7816 0.0 0.0 43700 4388 ? Ss 17:59 0:00
/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile
--systemd-activation --syslog-only
11:44 a.m.
Reindl Harald wrote:
How are these processes started and can they have a systemd-dropin
like
"display-manager.service.d" and where does it need to be placed?
kuiserver5 seems to miss -D_FORTIFY_SOURCE=2 BTW
I can confirm from build logs that kuiserver5 source files are compiled with
-D_FORTIFY_SOURCE=2
kuiserver5 8061 Full RELRO No canary found No
Seccomp NX enabled PIE enabled No
Is this the source of your inquiry? ^^
If so, I don't know why it's complaining here... perhaps because
kuiserver5's use of kf5-kinit confuses it?
-- Rex
12:03 p.m.
Am 31.03.2018 um 18:44 schrieb Rex Dieter:
Reindl Harald wrote:
> How are these processes started and can they have a systemd-dropin like
> "display-manager.service.d" and where does it need to be placed?
>
> kuiserver5 seems to miss -D_FORTIFY_SOURCE=2 BTW
I can confirm from build logs that kuiserver5 source files are compiled with
-D_FORTIFY_SOURCE=2
> kuiserver5 8061 Full RELRO No canary found No
> Seccomp NX enabled PIE enabled No
Is this the source of your inquiry? ^^
If so, I don't know why it's complaining here... perhaps because
kuiserver5's use of kf5-kinit confuses it
forget the "No canary found"
the main question is why a handful of processes have "No Seccomp" while
everything else inherits "ReadOnlyDirectories" and "SystemCallFilter"
from "display-manager.service"
"SystemCallFilter" is more or less a hack to get "checksec
--proc-all"
showing user processes which likely don't inherit "ReadOnlyDirectories",
for working as root i use ssh even on local machine and so that's fine
and a "system read-only mounted" without the negative impact to remeber
remount-rw here and then
[root@srv-rhsoft:~]$ cat
/etc/systemd/system/display-manager.service.d/security.conf
[Service]
ReadOnlyDirectories=/boot
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadWriteDirectories=-/etc/vmware
ReadWriteDirectories=-/usr/local/Zend
SystemCallFilter=~@clock @cpu-emulation @reboot @swap
[root@srv-rhsoft:~]$ checksec --proc-all | grep "No Seccomp" |grep -v
vmware | grep -v "sd\-pam" | grep -v crond | grep -v sshd | grep -v
systemd | grep -v "grep " | grep -v bash
dbus-daemon 7816 Full RELRO Canary found No
Seccomp NX enabled PIE enabled Yes
kglobalaccel5 7908 Full RELRO Canary found No
Seccomp NX enabled PIE enabled Yes
dconf-service 7916 Full RELRO Canary found No
Seccomp NX enabled PIE enabled Yes
kactivitymanage 7998 Full RELRO Canary found No
Seccomp NX enabled PIE enabled Yes
gvfsd 8007 Full RELRO Canary found No
Seccomp NX enabled PIE enabled Yes
kuiserver5 8061 Full RELRO No canary found No
Seccomp NX enabled PIE enabled No
2217
days inactive
2217
days old
2 comments
2 participants
participants (2)
-
Reindl Harald -
Rex Dieter