Frans Pop <[EMAIL PROTECTED]> writes: > On Thursday 20 July 2006 13:23, maximilian attems wrote: >> please apply belows patch, to add the /proc line to fstab with nosuid. > > There was a short discussion about this on IRC. > > <fjp> Kamion: What do you think of #378984? > <Kamion> fjp: suspicious of noexec, aren't there symlinks to executables > in /proc? dunno what mounting noexec does to those > <Kamion> fjp: nodev and nosuid seem ok I guess > <Kamion> I wonder why the kernel doesn't just default to those > <fjp> Kamion: The question is rather do we want to set such complex > options at all in the installer? This seems to work around a kernel > vulnerability that has now been solved and may help guard against future > security issues. > <fjp> I just don't know if we want the installer to be responsible for > that. > <maks> did i miss other parts that set it? > <maks> otherwise it is a really non-intrusive guard > <Kamion> one thing I'd note is that 'mount -t proc proc /proc' is not > exactly uncommon in init scripts, and the installer change would be > ineffective if scripts did that > <Kamion> although /etc/init.d/mountkernfs seems to get that right - it > checks /etc/fstab for mount options > <Kamion> mountkernfs.sh I mean > <fjp> maks: No, it just goes against the basic design pronciple of the > installer to stick to defaults unless there are very pressing reasons not > to. > <Kamion> I do sort of feel that init scripts should enforce those mount > options instead, and then (a) we fix upgrades as well as fresh installs, > (b) we have a way to turn it off if it turns out to be wrong in the > future > <ths> Kamion: Symlinks in /proc should simple get dereferenced. > <Kamion> I guess > <Kamion> suppose I should change binfmt-support to add those mount options > <Kamion> so yeah, I think it should be done by init scripts > <Kamion> however, some people still do 'mount /proc' > <Kamion> so we can change the installer as well as a fallback
I think 2 things need to be done: 1) change installer so new systems get a good fstab 2) fix fstab on upgrade so old system do too That fixes both mountkernfs.sh and manual 'mount /proc'. I don't think the mountkernfs.sh should hardcode those options as that is less transparent and doesn't work for manual mounts. The same goes for /sys although someone mentioned that there might be device nodes in /sys so only nosuid,noexec there. As to the kernel defaulting to noexec,nosuid,nodev for proc that is a nice idea. Maybe filesystems should have a black-list of standard mount options that get always unset. That should probably be brought to the kernel team and lkml for brainstorming. MfG Goswin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]