Bug#378984: fstab default /proc entry nosuid
Package: partman-target Version: 44 Severity: normal Tags: patch please apply belows patch, to add the /proc line to fstab with nosuid. rationale: setuid and setgid bits have nothing lost in /proc, nice workaround for kernel /proc vulnerability, see suggested at the lwn.net article: http://lwn.net/SubscriberLink/191954/dfb24a687f9b032e/ Index: finish.d/create_fstab_header === --- finish.d/create_fstab_header(revision 39223) +++ finish.d/create_fstab_header(working copy) @@ -9,4 +9,4 @@ printf %-15s %-15s %-7s %-15s %-7s %s\n '# file system' 'mount point' 'type' 'options' 'dump' 'pass' /target/etc/fstab -printf %-15s %-15s %-7s %-15s %-7s %s\n proc /proc proc defaults 0 0 /target/etc/fstab +printf %-15s %-15s %-7s %-15s %-7s %s\n proc /proc proc defaults,nosuid 0 0 /target/etc/fstab -- maks -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17-1-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#378984: fstab default /proc entry nosuid
maximilian attems wrote: Package: partman-target Version: 44 Severity: normal Tags: patch please apply belows patch, to add the /proc line to fstab with nosuid. rationale: setuid and setgid bits have nothing lost in /proc, nice workaround for kernel /proc vulnerability, see suggested at the lwn.net article: http://lwn.net/SubscriberLink/191954/dfb24a687f9b032e/ Index: finish.d/create_fstab_header === --- finish.d/create_fstab_header (revision 39223) +++ finish.d/create_fstab_header (working copy) @@ -9,4 +9,4 @@ printf %-15s %-15s %-7s %-15s %-7s %s\n '# file system' 'mount point' 'type' 'options' 'dump' 'pass' /target/etc/fstab -printf %-15s %-15s %-7s %-15s %-7s %s\n proc /proc proc defaults 0 0 /target/etc/fstab +printf %-15s %-15s %-7s %-15s %-7s %s\n proc /proc proc defaults,nosuid 0 0 /target/etc/fstab Might even become defaults,nodev,noexec,nosuid for that matter. Thiemo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#378984: fstab default /proc entry nosuid
On Thursday 20 July 2006 13:23, maximilian attems wrote: please apply belows patch, to add the /proc line to fstab with nosuid. There was a short discussion about this on IRC. fjp Kamion: What do you think of #378984? Kamion fjp: suspicious of noexec, aren't there symlinks to executables in /proc? dunno what mounting noexec does to those Kamion fjp: nodev and nosuid seem ok I guess Kamion I wonder why the kernel doesn't just default to those fjp Kamion: The question is rather do we want to set such complex options at all in the installer? This seems to work around a kernel vulnerability that has now been solved and may help guard against future security issues. fjp I just don't know if we want the installer to be responsible for that. maks did i miss other parts that set it? maks otherwise it is a really non-intrusive guard Kamion one thing I'd note is that 'mount -t proc proc /proc' is not exactly uncommon in init scripts, and the installer change would be ineffective if scripts did that Kamion although /etc/init.d/mountkernfs seems to get that right - it checks /etc/fstab for mount options Kamion mountkernfs.sh I mean fjp maks: No, it just goes against the basic design pronciple of the installer to stick to defaults unless there are very pressing reasons not to. Kamion I do sort of feel that init scripts should enforce those mount options instead, and then (a) we fix upgrades as well as fresh installs, (b) we have a way to turn it off if it turns out to be wrong in the future ths Kamion: Symlinks in /proc should simple get dereferenced. Kamion I guess Kamion suppose I should change binfmt-support to add those mount options Kamion so yeah, I think it should be done by init scripts Kamion however, some people still do 'mount /proc' Kamion so we can change the installer as well as a fallback pgpiKucZPsaIV.pgp Description: PGP signature
Bug#378984: fstab default /proc entry nosuid
Frans Pop [EMAIL PROTECTED] writes: On Thursday 20 July 2006 13:23, maximilian attems wrote: please apply belows patch, to add the /proc line to fstab with nosuid. There was a short discussion about this on IRC. fjp Kamion: What do you think of #378984? Kamion fjp: suspicious of noexec, aren't there symlinks to executables in /proc? dunno what mounting noexec does to those Kamion fjp: nodev and nosuid seem ok I guess Kamion I wonder why the kernel doesn't just default to those fjp Kamion: The question is rather do we want to set such complex options at all in the installer? This seems to work around a kernel vulnerability that has now been solved and may help guard against future security issues. fjp I just don't know if we want the installer to be responsible for that. maks did i miss other parts that set it? maks otherwise it is a really non-intrusive guard Kamion one thing I'd note is that 'mount -t proc proc /proc' is not exactly uncommon in init scripts, and the installer change would be ineffective if scripts did that Kamion although /etc/init.d/mountkernfs seems to get that right - it checks /etc/fstab for mount options Kamion mountkernfs.sh I mean fjp maks: No, it just goes against the basic design pronciple of the installer to stick to defaults unless there are very pressing reasons not to. Kamion I do sort of feel that init scripts should enforce those mount options instead, and then (a) we fix upgrades as well as fresh installs, (b) we have a way to turn it off if it turns out to be wrong in the future ths Kamion: Symlinks in /proc should simple get dereferenced. Kamion I guess Kamion suppose I should change binfmt-support to add those mount options Kamion so yeah, I think it should be done by init scripts Kamion however, some people still do 'mount /proc' Kamion so we can change the installer as well as a fallback I think 2 things need to be done: 1) change installer so new systems get a good fstab 2) fix fstab on upgrade so old system do too That fixes both mountkernfs.sh and manual 'mount /proc'. I don't think the mountkernfs.sh should hardcode those options as that is less transparent and doesn't work for manual mounts. The same goes for /sys although someone mentioned that there might be device nodes in /sys so only nosuid,noexec there. As to the kernel defaulting to noexec,nosuid,nodev for proc that is a nice idea. Maybe filesystems should have a black-list of standard mount options that get always unset. That should probably be brought to the kernel team and lkml for brainstorming. MfG Goswin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
