Yes, only the kernel may write to /proc and /sys. Yes, only root may write to /dev. If all is well and the kernel free of bugs then there is absolutely no need to do apply such restrictive mount options. In the real world it does not hurt to be paranoid IMHO: There was a recent vulnerability in the kernel that was exploitable on linux systems that had /proc mounted without nosuid.
I do not see how mounting /dev noexec,nosuid can cause trouble mmaping /dev/zero: That has mode 666 anyway and thus is not executable. In fact the only things having an executable bit set in /dev are directories and symlinks. Scot is right of course: the real "/" is not used at all at this point in time, so it does not matter whether mount -n is used or not. -- Virtual filesystem mounts could use more restrictive mount options https://launchpad.net/bugs/54530 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
