Comment on hunger's /etc/fstab, above.
sysfs /sys sys nodev,noexec,nosuid 0 0
should read
sysfs /sys sysfs nodev,noexec,nosuid 0 0
Please adjust, before someone else has to waste a couple of hours too on
this little mistake.
--
Virtual filesystem mounts could use more restrictive mount option
Made the appropriate changes to /proc and /sys in initramfs-tools
** Changed in: initramfs-tools (Ubuntu)
Status: Confirmed => Fix Released
--
Virtual filesystem mounts could use more restrictive mount options
https://launchpad.net/bugs/54530
--
ubuntu-bugs mailing list
ubuntu-bugs@list
Made the appropriate changes in sysvinit to the filesystems
** Changed in: sysvinit (Ubuntu)
Status: Confirmed => Fix Released
--
Virtual filesystem mounts could use more restrictive mount options
https://launchpad.net/bugs/54530
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
Am rejecting this from udev ... it's been demonstrated that restricting
the mount options for /dev causes problems.
** Changed in: udev (Ubuntu)
Status: Confirmed => Rejected
--
Virtual filesystem mounts could use more restrictive mount options
https://launchpad.net/bugs/54530
--
ubuntu
You don't need the executable bit set on a file to be able to mmap it as
executable
--
Virtual filesystem mounts could use more restrictive mount options
https://launchpad.net/bugs/54530
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bu
Yes, only the kernel may write to /proc and /sys. Yes, only root may
write to /dev. If all is well and the kernel free of bugs then there is
absolutely no need to do apply such restrictive mount options. In the
real world it does not hurt to be paranoid IMHO: There was a recent
vulnerability in the
While the kernel can create files that ignore the mount options, I
believe that the behaviour is consistent with the rest of the vfs - that
is, a /proc mounted noexec will not allow files to be executed, even if
the kernel has created them with the execute bit. Having a noexec/nosuid
/proc was
On Wed, 2006-08-09 at 08:22 +, hunger wrote:
> Something else: I get a message along the lines of "/dev/zero can not be
> mmaped" at startup and shutdown and am not sure that this is related to
> my changes... serious testing of these changes is recommended.
>
Your mount options to /dev proba
On Wed, 2006-08-09 at 07:01 +, Martin Pitt wrote:
> Tobias, I have some questions about /usr/share/initramfs-tools/init
> patch:
>
> -mount -t sysfs none /sys
> -mount -t proc none /proc
> +mount -n -t sysfs -onodev,noexec,nosuid none /sys
> +mount -n -t proc -onodev,noexec,nosuid none /proc
On Wed, 2006-08-09 at 08:22 +, hunger wrote:
> About "-n": That option prevents mount from writing to /etc/mtab. Since
> / is mounted readonly at that point this seems sensible to me.
>
/ is not mounted at all at that point.
It worries me that you don't seem to understand the changes that yo
About sending in patches: Yes, I want to do that:-) The problem is that
I start modifying and only when I am done I remember that I wanted to
send a patch and do not have the original files around anymore...
About "-n": That option prevents mount from writing to /etc/mtab. Since
/ is mounted reado
installer is not actually affected, but initramfs-tools is.
** Changed in: debian-installer (Ubuntu)
Sourcepackagename: debian-installer => initramfs-tools
--
Virtual filesystem mounts could use more restrictive mount options
https://launchpad.net/bugs/54530
--
ubuntu-bugs mailing list
ubuntu-
Tobias, I have some questions about /usr/share/initramfs-tools/init
patch:
-mount -t sysfs none /sys
-mount -t proc none /proc
+mount -n -t sysfs -onodev,noexec,nosuid none /sys
+mount -n -t proc -onodev,noexec,nosuid none /proc
Why did you add -n? /sys and /proc are in /etc/mtab for me. However,
Finally we need to update mtab.sh to report the new settings... mostly
cosmetic...
--
Virtual filesystem mounts could use more restrictive mount options
https://launchpad.net/bugs/54530
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bug
OK, that's it.
My system runs on those settings for about a day now. I have not run
into trouble yet.
MORE TESTING IS REQUIRED of course:-)
--
Virtual filesystem mounts could use more restrictive mount options
https://launchpad.net/bugs/54530
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubun
Then there is udev...
--
Virtual filesystem mounts could use more restrictive mount options
https://launchpad.net/bugs/54530
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
mountkernfs.sh does some more...
--
Virtual filesystem mounts could use more restrictive mount options
https://launchpad.net/bugs/54530
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
I went ahead and modified a couple of files to apply more restrictive
mount options to the virtual filesystems.
The initramfs mounts the first set of FSes, so here is a patched version
of that.
--
Virtual filesystem mounts could use more restrictive mount options
https://launchpad.net/bugs/54530
Ah, OK, I see. That sentence can be misunderstood, sorry for that.
What I meant is that when doing "mount" all those filesystems are listed
as mounted with the option "(rw)". They could (and in my opinion should)
be mounted eg. "(rw,noexec,nodev)" instead.
--
Virtual filesystem mounts could use
On Fri, Aug 04, 2006 at 03:03:05PM -, hunger wrote:
> Matt, I never suggested mounting /proc readonly!
"All the filesystems set up by ubuntu itself (/dev, /proc, /sys, /var/run,
/var/lock, etc.) are mounted rw by default. This is a potential security
risk that can be fixed..."
--
- mdz
--
Matt, I never suggested mounting /proc readonly!
It is a collection of data-files (from a filesystem point of view at
least). So nodev (no devices here), noexec (no executables either) and
nosuid (definitly no suid executables) should be OK.
In fact everything but /dev should be save to get mount
** Summary changed:
- mountpoints with insecure permissions
+ Virtual filesystem mounts could use more restrictive mount options
** Changed in: debian-installer (Ubuntu)
Importance: Untriaged => Wishlist
** Also affects: sysvinit (Ubuntu)
Importance: Untriaged
Status: Unconfirmed
*
22 matches
Mail list logo
