noexec bypasses using /run

[nihil-admirari]

systemd mounts $XDG_RUNTIME_DIR (/run/user/$UID) as exec, and $XDG_RUNTIME_DIR is always user writable. Apparently this behaviour is hardcoded in systemd: https://github.com/systemd/systemd/blob/main/src/shared/mount-setup.c#L99.

There is also similarly writable and executable fuse-portal mounted at /run/user/1000/doc.

The presence of these mount makes it trivial to bypass noexec even with ordinary binaries rather than scripts. Is there a workaround available?

See also: https://askubuntu.com/a/1432445.

[nihil-admirari]

Correction: $XDG_RUNTIME_DIR is mounted by user-runtime-dir.c, and mounting is controlled by [email protected]. Probably it can be overridden to remount as noexec after mounting.

[wj25czxj47bu6q]

Considering noexec is already trivially bypassable as you noted, the practical security impact of this behavior is dubious. I'm not sure it's worth the time to find a workaround.

Also note that noexec is bypassable by more than just shell scripts. For example, you can run python /tmp/main.py or java -jar /tmp/something.jar even if /tmp is mounted with noexec. At best noexec is a minor mitigation for vulnerable code; it cannot be expected to stop a serious attack.