dev file system is mounted without nosuid

Bug #1450960 reported by Daniel on 2015-05-02
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
initramfs-tools (Ubuntu)
Wishlist
Unassigned
lxc (Ubuntu)
Wishlist
Unassigned
systemd (Ubuntu)
Wishlist
Unassigned

Bug Description

I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options.

If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak.

This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it.

STEPS TO REPRODUCE:

me:~# cat >/dev/call-me.sh <<.e
> #!/bin/sh
> echo "I'm executable"
> .e

me:~# chmod +x /dev/call-me.sh

me:~# /dev/call-me.sh
I'm executable

EXPECTED BEHAVIOUR

me:~# /dev/call-me.sh
-bash: /dev/call-me.sh: Permission denied

WORKAROUND

me:~# mount -oremount,noexec,nosuid /dev

me:~# /dev/call-me.sh
-bash: /dev/call-me.sh: Permission denied

Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: udev 204-5ubuntu20.11
ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17
Uname: Linux 3.13.0-49-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.10
Architecture: amd64
CurrentDesktop: XFCE
CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied
CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules
Date: Sat May 2 01:48:26 2015
MachineType: Gigabyte Technology Co., Ltd. H97-HD3
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro
SourcePackage: systemd
UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago)
dmi.bios.date: 06/26/2014
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: F5
dmi.board.asset.tag: To be filled by O.E.M.
dmi.board.name: H97-HD3
dmi.board.vendor: Gigabyte Technology Co., Ltd.
dmi.board.version: x.x
dmi.chassis.asset.tag: To Be Filled By O.E.M.
dmi.chassis.type: 3
dmi.chassis.vendor: Gigabyte Technology Co., Ltd.
dmi.chassis.version: To Be Filled By O.E.M.
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.:
dmi.product.name: H97-HD3
dmi.product.version: To be filled by O.E.M.
dmi.sys.vendor: Gigabyte Technology Co., Ltd.

Daniel (hackie) wrote :
Daniel (hackie) on 2015-05-02
description: updated
information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lxc (Ubuntu):
status: New → Confirmed
Changed in systemd (Ubuntu):
status: New → Confirmed
Martin Pitt (pitti) wrote :

/dev/ is only writable for root and noexec is fairly useless to be honest, but adding nosuid might be a nice little improvement. /dev/pts and /dev/shm have restricted mount options as well, after all.

Changed in systemd (Ubuntu):
importance: Undecided → Wishlist
status: Confirmed → Triaged
Daniel (hackie) wrote :

That's not really true. On my system for example, the directory /dev/vboxusb/ exists with permissions

drwxr-x--- 4 root vboxusers 80 Mai 4 09:09 /dev/vboxusb/

So all users which are in group vboxusers can write to this sub-directory. I'm sure there are more cases like this...

Daniel (hackie) wrote :

Ok, my fault. No write permission for the group.

But anyway, I think there is no reason to not use both nosuid and noexec

Daniel (hackie) wrote :

Try this:

onlyauser@mymachine:~$ cat >/dev/.lxc/user/call-me.sh <<.e
> #!/bin/sh
> echo "I'm executable"
> .e
onlyauser@mymachine:~$ chmod +x /dev/.lxc/user/call-me.sh
onlyauser@mymachine:~$ /dev/.lxc/user/call-me.sh
I'm executable

Changed in lxc (Ubuntu):
importance: Undecided → Wishlist

The attachment "Patch for lxc on top of f08fee55a1f0ca62c2c97a2d2fd5ef1d7fbae8ee. Solves the issue in the container, NOT /dev/.lxc on the host" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Martin Pitt (pitti) wrote :

Applied the udev.init change in http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=63dff1e2132b for Debian. But it is totally irrelevant for Ubuntu, as we don't support SysV init. Under upstart /etc/init/udev does not do any mounting, it relies on mountall to do that, thus this needs to be added to /lib/init/fstab. systemd already mounts it with MS_NOSUID (but not with MS_NOEXEC).

But in all cases the dominating and important thing here is initramfs-tools, where /dev is usually mounted.

Changed in systemd (Ubuntu):
status: Triaged → Invalid
Martin Pitt (pitti) wrote :

Daniel, would you mind forwarding the initramfs-tools change to a Debian bug report?

Changed in initramfs-tools (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged
status: Triaged → Fix Committed
Martin Pitt (pitti) on 2015-09-14
Changed in initramfs-tools (Ubuntu):
status: Fix Committed → Triaged
Martin Pitt (pitti) wrote :

This also applies when booting systemd without an initramfs. NOSUID is already set, but not NOEXEC. I proposed that in https://github.com/systemd/systemd/pull/1265

Changed in systemd (Ubuntu):
status: Invalid → In Progress
Martin Pitt (pitti) wrote :

Feedback from upstream at https://github.com/systemd/systemd/pull/1265 : Apparently noexec on /dev breaks some drivers which expose memory-mapped devices in /dev/. So retitling for "nosuid" only. systemd already does that, initramfs-tools doesn't yet, but the attached patch needs to be modified to only set "nosuid".

I committed http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=470c174f so that under sysvinit and without initramfs-tools udev will now mount /dev with "nosuid" as well. This case doesn't apply to Ubuntu, so once again closing the systemd task.

summary: - dev file system is mounted without noexec
+ dev file system is mounted without nosuid
Changed in systemd (Ubuntu):
status: In Progress → Invalid
Martin Pitt (pitti) on 2015-09-15
Changed in initramfs-tools (Ubuntu):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package initramfs-tools - 0.120ubuntu4

---------------
initramfs-tools (0.120ubuntu4) wily; urgency=medium

  * init: Mount /dev with "nosuid". Thanks "Daniel". (LP: #1450960)

 -- Martin Pitt <email address hidden> Tue, 15 Sep 2015 07:20:43 +0200

Changed in initramfs-tools (Ubuntu):
status: Fix Committed → Fix Released
Serge Hallyn (serge-hallyn) wrote :

I have no objection to the lxc patches, however I do have concerns that they could cause breakages, so we need to make sure all the testcases pass.

Launchpad Janitor (janitor) wrote :
Download full text (10.5 KiB)

This bug was fixed in the package systemd - 227-2ubuntu1

---------------
systemd (227-2ubuntu1) xenial; urgency=medium

  * Merge with Debian unstable. Remaining Ubuntu changes:
    - Hack to support system-image read-only /etc, and modify files in
      /etc/writable/ instead.
    - Simpler udev maintainer scripts (all platforms must support udev, no
      debconf).
    - initramfs init-bottom: If LVM is installed, settle udev,
      otherwise we get missing LV symlinks. Workaround for LP #1185394.
    - Add debian/udev.lvm2.init: Dummy SysV init script to satisfy insserv
      dependencies to "lvm2" which is handled with udev rules in Ubuntu.
    - Add debian/udev.lvm2.service to avoid running the dummy lvm2 init
      script.
    - Provide shutdown fallback for upstart. (LP: #1370329)
    - debian/extra/ifup@.service: Additionally run for "auto" class. We don't
      really support "allow-hotplug" in Ubuntu at the moment, so we need to
      deal with "auto" devices appearing after "/etc/init.d/networking start"
      already ran. (LP: #1374521)
    - ifup@.service: Drop dependency on networking.service (i. e.
      /etc/init.d/networking), and merely ensure that /run/network exists.
      This avoids unnecessary dependencies/waiting during boot and dependency
      cycles if hooks wait for other interfaces to come up (like ifenslave
      with bonding interfaces). (LP: #1414544)
    - Add Get-RTC-is-in-local-time-setting-from-etc-default-rc.patch: In
      Ubuntu we currently keep the setting whether the RTC is in local or UTC
      time in /etc/default/rcS "UTC=yes|no", instead of /etc/adjtime.
      (LP: #1377258)
    - networkd: Change IPForward= default to "kernel". This keeps
      compatibility with lots of packages which expect to be able to
      enable global forwarding in /proc/sys/net/ipv4/ip_forward.
      (LP: #1500992)
    - Put session scopes into all cgroup controllers. This makes unprivileged
      user LXC containers work under systemd. (LP: #1346734)
    - Don't attempt to migrate pid 1 itself when migrating cgroups for started
      units; works around some not yet understood cgproxy/systemd interaction.
      This particularly unbreaks cgproxy in LXC. (LP: #1491557)
    - Lower Breaks: to plymouth version which has the udev inotify fix in
      Ubuntu.
    - Change systemd-sysv's conflicts to upstart-sysv. (LP: #1422681)
    - Don't build new systemd-journal-remote package and drop
      libmicrohttpd-dev. This is blocked by the MIR (LP #1488341).
    - Build using libseccomp on all architectures (See Debian #800818)

    Upgrade fixes, keep until 16.04 LTS release:
    - systemd Conflicts/Replaces/Provides systemd-services.
    - Remove obsolete systemd-logind upstart job.
    - Clean up obsolete /etc/udev/rules.d/README.
    - systemd.postinst: Migrate mountall specific fstab options to standard
      util-linux "nofail" option.
    - systemctl: Don't forward telinit u to upstart. This works around
      upstart's Restart() always reexec'ing /sbin/init on Restart(), even if
      that changes to point to systemd during the upgrade. This avoids running
      systemd during a dist-upgrade. (LP: #1430479)

systemd (22...

Changed in systemd (Ubuntu):
status: Invalid → Fix Released
To post a comment you must log in.