On 2023-02-02 13:58, Dave Howorth wrote:
On Thu, 2 Feb 2023 13:32:14 +0100 "Carlos E. R." <> wrote:
On 2023-02-02 12:31, Erwin Lam wrote:
On 01-02-2023 15:17, Carlos E. R. wrote:
On 2023-02-01 15:00, Bengt Gördén wrote:
Carlos E. R. wrote:
...
Hi Carlos,
The issue is caused by systemd hardening. Have a look at the file "/usr/lib/systemd/system/mlocate.service",in particular the line "ProtectKernelModules=true". This systemd setting not only prevents the service from loading any modules, but also denies the service access to directory "/lib/modules".
Wow.
I would never have guessed that.
[snip of evidence showing that actually is the case]
Is it just me or does that seem like a complication too far to everybody else? An unexpected failure of a well-known longstanding sevice with a totally unexpected and difficult to find reason, and all to what purpose? It doesn't stop bad actors accessing the modules in some other way. What were the systemd people smoking?
I still have not read the documentation, so maybe my question is answered there. What is the problem with my users (me) finding the location of kernel modules? Or can it be exploited remotely? Surely only root can run or load a module. I use "/etc/permissions.easy", not "secure" nor "paranoid". So why are we getting this extra hardening? -- Cheers / Saludos, Carlos E. R. (from Elesar, using openSUSE Leap 15.4)