Bug#681418: debugfs is a big security hole

To: Ben Hutchings <ben@decadent.org.uk>, 681418@bugs.debian.org
Subject: Bug#681418: debugfs is a big security hole
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Fri, 13 Jul 2012 10:43:17 -0300
Message-id: <[🔎] 20120713134317.GB7877@khazad-dum.debian.net>
Reply-to: Henrique de Moraes Holschuh <hmh@debian.org>, 681418@bugs.debian.org
In-reply-to: <[🔎] 20120713033708.3307.93550.reportbug@deadeye.wl.decadent.org.uk>
References: <[🔎] 20120713033708.3307.93550.reportbug@deadeye.wl.decadent.org.uk>

On Fri, 13 Jul 2012, Ben Hutchings wrote:
> I certainly consider mounting of debugfs to be significant security
> liability.  I'm not at all happy that people use it as the basis for

Seconded.  I know of at least three ways to hardcrash boxes through
debugfs (system specific, not a kernel bug), and the unfortunate naming
DOES help kernel maintainers take an even more irresponsible instance
regarding security than what is already [unfortunately] normal.  e.g.
missing calls to capable() in debugfs handlers.

It really should be called "advcfgfs".  Either that, or it should taint
the kernel when mounted, and any production stuff would be forced to
"graduate" to a proper peer-reviewed interface.

> I would like to address this by backporting this feature:
> 
> commit d6e486868cde585842d55ba3b6ec57af090fc343
> Author: Ludwig Nussel <ludwig.nussel@suse.de>
> Date:   Wed Jan 25 11:52:28 2012 +0100
> 
>     debugfs: add mode, uid and gid options
> 
> and then changing the default mode (mask) to be 0700.  This should
> leave debugfs functional (most such applications will require root
> anyway) and allow users to relax permissions if they really don't
> care about the security problems.

Actually, it would be best if we could set mode, uid and gid per
inode/dentry, with defaults to the ones in the mount command (or
root:root 700).  Just like tmpfs does.

> However, currently there is not a single place for the user options.
> I think that either (1) debugfs should be mounted by default in a
> similar way to other pseudo-filesystems, or (2) debugfs should have a
> noauto entry in /etc/fstab where users can set options, and packages
> may use 'mount /sys/kernel/debug' to mount debugfs with those options
> (not 'mount -t debugfs debugfs /sys/kernel/debug', as now).

Both ideas would work.  Can you provide a patch for the relevant
initscripts?

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

References:
- Bug#681418: debugfs is a big security hole
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Bug#681418: debugfs is a big security hole
Next by Date: Bug#571980: /boot/vmlinuz-2.6.33-2-amd64: impi oops on intel motherboard
Previous by thread: Bug#681418: debugfs is a big security hole
Next by thread: Re: dpkg-deb: should give a hint when it fails due to filling /tmp
Index(es):
- Date
- Thread