Your message dated Mon, 12 Jun 2017 12:26:38 +0200
with message-id <20170612102638.vj24z4zqfb4jz...@bongo.bofh.it>
and subject line Re: Bug#855798: udev: MemoryDenyWriteExecute=yes should not be
applied to udev plugins
has caused the Debian Bug report #855798,
regarding udev: MemoryDenyWriteExecute=yes should not be applied to udev plugins
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
855798: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855798
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: udev
Version: 232-15
Severity: important
Some executables outside of systemd are no longer run as plugins after an
upgrade from Debian 8 to Debian 9 RC2, even though they should be called
according to the RUN+= action in rules. So this distro-upgrade is breaking
backwards compatibility.
This is complicated by the fact that the error shown in the journal is obscure
(even with systemd debugging enabled), e.g:
systemd-udevd[1510]: Process 'ifmgrctl' failed with exit code 127.
This is even though this same example executable 'ifmgrctl' runs just fine in
Debian 8 (udev 215).
It turns out that the problem is due to MemoryDenyWriteExecute=yes being set in
systemd-udevd.service, with the underlying as yet unresolved issue being due to
the way this 'ifmgrctl' executable was created by Go and most likely causing a
segment mapping issue, see https://github.com/systemd/systemd/issues/5400 for
more details.
The relevant upstream fixes are f3e43635932c ("core: Restrict mmap and mprotect
with PAGE_WRITE|PAGE_EXEC (#3319) (#3379)"), 40652ca4791f ("units: enable
MemoryDenyWriteExecute (#3459)"), but with the actual impacting fix here only
being committed at a later stage, 0c28d51ac849 ("units: further lock down our
long-running services").
While it would be useful to have a warning message to detect infraction of the
W^X check, and while it is easy enough to override MemoryDenyWriteExecute once
the problem has been root-caused, for reasons of backwards compatibility,
systemd-udevd.service should not inhibit executable plugins outside of systemd.
The requested fix is to set MemoryDenyWriteExecute=no (or to simply remove or
comment out MemoryDenyWriteExecute=yes, as by default it is disabled) in the
default unit file systemd-udevd.service used:
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 46d6378..108730e 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -25,6 +25,6 @@ KillMode=mixed
WatchdogSec=3min
TasksMax=infinity
MountFlags=slave
-MemoryDenyWriteExecute=yes
+MemoryDenyWriteExecute=no
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
--- End Message ---
--- Begin Message ---
On Feb 21, Mike Manning <mmann...@brocade.com> wrote:
> The problem binary is built using Go and is not part of the Debian distro.
> We are in the process of assessing why the way Go has created this
> executable and shared libs is infringing the W^X check during dynamic load.
> I am not aware of any other type of binary causing the problem, and have
> tested the plugin mechanism as working fine for test scripts and for
> statically linked executables created by Go. The question is where
> the boundary for security lies in terms of calling executables outside of
> systemd and indeed the distro, vs the pain involved in distro-upgrade due
> to the debuggability issues with this. Thanks, Mike
I do not believe that we should lower the security of all processes to
work around (temporary?) issues with a single out of tree program.
I recommend that you work around this by shipping
a /lib/systemd/system/udev.service.d/yourpackage.conf file which sets
MemoryDenyWriteExecute=no.
--
ciao,
Marco
signature.asc
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-systemd-maintainers mailing list
Pkg-systemd-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
