[Touch-packages] [Bug 1450960] Re: dev file system is mounted without noexec
This also applies when booting systemd without an initramfs. NOSUID is already set, but not NOEXEC. I proposed that in https://github.com/systemd/systemd/pull/1265 ** Changed in: systemd (Ubuntu) Status: Invalid => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in initramfs-tools package in Ubuntu: Triaged Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: In Progress Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat >/dev/call-me.sh <<.e > #!/bin/sh > echo "I'm executable" > .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1450960] Re: dev file system is mounted without noexec
Applied the udev.init change in http://anonscm.debian.org/cgit/pkg- systemd/systemd.git/commit/?id=63dff1e2132b for Debian. But it is totally irrelevant for Ubuntu, as we don't support SysV init. Under upstart /etc/init/udev does not do any mounting, it relies on mountall to do that, thus this needs to be added to /lib/init/fstab. systemd already mounts it with MS_NOSUID (but not with MS_NOEXEC). But in all cases the dominating and important thing here is initramfs- tools, where /dev is usually mounted. ** Changed in: systemd (Ubuntu) Status: Triaged => Invalid ** Also affects: initramfs-tools (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in initramfs-tools package in Ubuntu: New Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Invalid Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat >/dev/call-me.sh <<.e > #!/bin/sh > echo "I'm executable" > .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1450960] Re: dev file system is mounted without noexec
Daniel, would you mind forwarding the initramfs-tools change to a Debian bug report? ** Changed in: initramfs-tools (Ubuntu) Importance: Undecided => Wishlist ** Changed in: initramfs-tools (Ubuntu) Status: New => Triaged ** Changed in: initramfs-tools (Ubuntu) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in initramfs-tools package in Ubuntu: Fix Committed Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Invalid Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat >/dev/call-me.sh <<.e > #!/bin/sh > echo "I'm executable" > .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1450960] Re: dev file system is mounted without noexec
** Changed in: initramfs-tools (Ubuntu) Status: Fix Committed => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in initramfs-tools package in Ubuntu: Triaged Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Invalid Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat >/dev/call-me.sh <<.e > #!/bin/sh > echo "I'm executable" > .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1450960] Re: dev file system is mounted without noexec
** Patch added: "Patch for host, package udev, on top of a current wily installation" https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1450960/+attachment/4463061/+files/udev.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat >/dev/call-me.sh <<.e > #!/bin/sh > echo "I'm executable" > .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1450960] Re: dev file system is mounted without noexec
** Patch added: "Patch for host, package initramfs-tools, on top of a current wily installation" https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1450960/+attachment/4463062/+files/initramfs-tools.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat >/dev/call-me.sh <<.e > #!/bin/sh > echo "I'm executable" > .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1450960] Re: dev file system is mounted without noexec
** Patch added: "Patch for lxc on top of f08fee55a1f0ca62c2c97a2d2fd5ef1d7fbae8ee. Solves the issue on the host, /dev/.lxc" https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1450960/+attachment/4463050/+files/lxc-noexec-host.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat >/dev/call-me.sh <<.e > #!/bin/sh > echo "I'm executable" > .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1450960] Re: dev file system is mounted without noexec
** Patch added: "Patch for lxc on top of f08fee55a1f0ca62c2c97a2d2fd5ef1d7fbae8ee. Solves the issue in the container, NOT /dev/.lxc on the host" https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1450960/+attachment/4463049/+files/lxc-noexec.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat >/dev/call-me.sh <<.e > #!/bin/sh > echo "I'm executable" > .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1450960] Re: dev file system is mounted without noexec
The attachment "Patch for lxc on top of f08fee55a1f0ca62c2c97a2d2fd5ef1d7fbae8ee. Solves the issue in the container, NOT /dev/.lxc on the host" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat >/dev/call-me.sh <<.e > #!/bin/sh > echo "I'm executable" > .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1450960] Re: dev file system is mounted without noexec
** Changed in: lxc (Ubuntu) Importance: Undecided = Wishlist -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat /dev/call-me.sh .e #!/bin/sh echo I'm executable .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1450960] Re: dev file system is mounted without noexec
Try this: onlyauser@mymachine:~$ cat /dev/.lxc/user/call-me.sh .e #!/bin/sh echo I'm executable .e onlyauser@mymachine:~$ chmod +x /dev/.lxc/user/call-me.sh onlyauser@mymachine:~$ /dev/.lxc/user/call-me.sh I'm executable -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat /dev/call-me.sh .e #!/bin/sh echo I'm executable .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1450960] Re: dev file system is mounted without noexec
Ok, my fault. No write permission for the group. But anyway, I think there is no reason to not use both nosuid and noexec -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat /dev/call-me.sh .e #!/bin/sh echo I'm executable .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1450960] Re: dev file system is mounted without noexec
That's not really true. On my system for example, the directory /dev/vboxusb/ exists with permissions drwxr-x--- 4 root vboxusers 80 Mai 4 09:09 /dev/vboxusb/ So all users which are in group vboxusers can write to this sub- directory. I'm sure there are more cases like this... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat /dev/call-me.sh .e #!/bin/sh echo I'm executable .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1450960] Re: dev file system is mounted without noexec
/dev/ is only writable for root and noexec is fairly useless to be honest, but adding nosuid might be a nice little improvement. /dev/pts and /dev/shm have restricted mount options as well, after all. ** Changed in: systemd (Ubuntu) Importance: Undecided = Wishlist ** Changed in: systemd (Ubuntu) Status: Confirmed = Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat /dev/call-me.sh .e #!/bin/sh echo I'm executable .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1450960] Re: dev file system is mounted without noexec
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: lxc (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Confirmed Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat /dev/call-me.sh .e #!/bin/sh echo I'm executable .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1450960] Re: dev file system is mounted without noexec
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: systemd (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Confirmed Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat /dev/call-me.sh .e #!/bin/sh echo I'm executable .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp