[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#378984: fstab default /proc entry nosuid

On Thursday 20 July 2006 13:23, maximilian attems wrote:
> please apply belows patch, to add the /proc line to fstab with nosuid.

There was a short discussion about this on IRC.

<fjp> Kamion: What do you think of #378984?
<Kamion> fjp: suspicious of noexec, aren't there symlinks to executables 
in /proc? dunno what mounting noexec does to those
<Kamion> fjp: nodev and nosuid seem ok I guess
<Kamion> I wonder why the kernel doesn't just default to those
<fjp> Kamion: The question is rather do we want to set such complex 
options at all in the installer? This seems to work around a kernel 
vulnerability that has now been solved and may help guard against future 
security issues.
<fjp> I just don't know if we want the installer to be responsible for 
<maks> did i miss other parts that set it?
<maks> otherwise it is a really non-intrusive guard
<Kamion> one thing I'd note is that 'mount -t proc proc /proc' is not 
exactly uncommon in init scripts, and the installer change would be 
ineffective if scripts did that
<Kamion> although /etc/init.d/mountkernfs seems to get that right - it 
checks /etc/fstab for mount options
<Kamion> mountkernfs.sh I mean
<fjp> maks: No, it just goes against the basic design pronciple of the 
installer to stick to defaults unless there are very pressing reasons not 
<Kamion> I do sort of feel that init scripts should enforce those mount 
options instead, and then (a) we fix upgrades as well as fresh installs, 
(b) we have a way to turn it off if it turns out to be wrong in the 
<ths> Kamion: Symlinks in /proc should simple get dereferenced.
<Kamion> I guess
<Kamion> suppose I should change binfmt-support to add those mount options
<Kamion> so yeah, I think it should be done by init scripts
<Kamion> however, some people still do 'mount /proc'
<Kamion> so we can change the installer as well as a fallback

Attachment: pgpz6PJcenDXW.pgp
Description: PGP signature

Reply to: