From 4ac1755be2d6c141fae7e57c42936e507c5b54e3 Mon Sep 17 00:00:00 2001 From: Etienne Cordonnier Date: Fri, 6 Sep 2024 10:36:28 +0200 Subject: [PATCH] coredump: set ProtectHome to read-only In https://github.com/systemd/systemd/pull/5283/commits/924453c22599cc246746a0233b2f52a27ade0819 ProtectHome was set to true for systemd-coredump in order to reduce risk, since an attacker could craft a malicious binary in order to compromise systemd-coredump. At that point the object analysis was done in the main systemd-coredump process. Because of this systemd-coredump is unable to product symbolicated call-stacks for binaries running under /home ("n/a" is shown instead of function names). However, later in https://github.com/systemd/systemd/commit/61aea456c12c54f49c4a76259af130e576130ce9 systemd-coredump was changed to do the object analysis in a forked process, covering those security concerns. Let's set ProtectHome to read-only so that systemd-coredump produces symbolicated call-stacks for processes running under /home. --- units/systemd-coredump@.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index 012c60d2f6848..fa3206d07b5df 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -28,7 +28,7 @@ PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes ProtectControlGroups=yes -ProtectHome=yes +ProtectHome=read-only ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes