In my last blog post I talked about verybad web application. It has multiple major security holes, which allows anyone to do remote code execution or read/write files on a server. Look at the source code to see what all you can do.
I am running one instance in public http://verybad.kushaldas.in:8000/, and then I asked twitter to see if anyone can get access. Only difference is that this service has some of the latest security mitigation from systemd on a Fedora 35 box.
The service is up for a few days now, a few people tried for hours. One person
managed to read the
verybad.service file after a few hours of different
tries. This allowed me to look into other available options from
Rest of the major protections are coming from
in systemd. This enables multiple other protections (which can not be turned
- SUID/SGID files can not be created or executed
- Temporary filesystem is private to the service
- The entire file system hierarchy is mounted read-only except a few places
systemd can also block exec mapping of shared libraries or executables. This
way we can block any random command execution, but still allow the
command to execute.
Please have a look at the man page and learn about many options systemd now provides. I am finding this very useful as it takes such small amount of time to learn and use. The credit goes to Lennart and rest of the maintainers.
Oh, just in case you are wondering, for a real service you should enable this along with other existing mechanisms, like SELinux or AppArmor.