dev file system is mounted without nosuid
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| initramfs-tools (Ubuntu) |
Wishlist
|
Unassigned | ||
| lxc (Ubuntu) |
Wishlist
|
Unassigned | ||
| systemd (Ubuntu) |
Wishlist
|
Unassigned |
Bug Description
I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options.
If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak.
This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it.
STEPS TO REPRODUCE:
me:~# cat >/dev/call-me.sh <<.e
> #!/bin/sh
> echo "I'm executable"
> .e
me:~# chmod +x /dev/call-me.sh
me:~# /dev/call-me.sh
I'm executable
EXPECTED BEHAVIOUR
me:~# /dev/call-me.sh
-bash: /dev/call-me.sh: Permission denied
WORKAROUND
me:~# mount -oremount,
me:~# /dev/call-me.sh
-bash: /dev/call-me.sh: Permission denied
Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: udev 204-5ubuntu20.11
ProcVersionSign
Uname: Linux 3.13.0-49-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.10
Architecture: amd64
CurrentDesktop: XFCE
CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied
CustomUdevRuleF
Date: Sat May 2 01:48:26 2015
MachineType: Gigabyte Technology Co., Ltd. H97-HD3
ProcKernelCmdLine: BOOT_IMAGE=
SourcePackage: systemd
UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago)
dmi.bios.date: 06/26/2014
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: F5
dmi.board.
dmi.board.name: H97-HD3
dmi.board.vendor: Gigabyte Technology Co., Ltd.
dmi.board.version: x.x
dmi.chassis.
dmi.chassis.type: 3
dmi.chassis.vendor: Gigabyte Technology Co., Ltd.
dmi.chassis.
dmi.modalias: dmi:bvnAmerican
dmi.product.name: H97-HD3
dmi.product.
dmi.sys.vendor: Gigabyte Technology Co., Ltd.
Daniel (hackie) wrote : | #1 |
description: | updated |
information type: | Private Security → Public Security |
Launchpad Janitor (janitor) wrote : | #2 |
Changed in lxc (Ubuntu): | |
status: | New → Confirmed |
Changed in systemd (Ubuntu): | |
status: | New → Confirmed |
Martin Pitt (pitti) wrote : | #4 |
/dev/ is only writable for root and noexec is fairly useless to be honest, but adding nosuid might be a nice little improvement. /dev/pts and /dev/shm have restricted mount options as well, after all.
Changed in systemd (Ubuntu): | |
importance: | Undecided → Wishlist |
status: | Confirmed → Triaged |
Daniel (hackie) wrote : | #5 |
That's not really true. On my system for example, the directory /dev/vboxusb/ exists with permissions
drwxr-x--- 4 root vboxusers 80 Mai 4 09:09 /dev/vboxusb/
So all users which are in group vboxusers can write to this sub-directory. I'm sure there are more cases like this...
Daniel (hackie) wrote : | #6 |
Ok, my fault. No write permission for the group.
But anyway, I think there is no reason to not use both nosuid and noexec
Daniel (hackie) wrote : | #7 |
Try this:
onlyauser@
> #!/bin/sh
> echo "I'm executable"
> .e
onlyauser@
onlyauser@
I'm executable
Changed in lxc (Ubuntu): | |
importance: | Undecided → Wishlist |
Daniel (hackie) wrote : | #8 |
Daniel (hackie) wrote : | #9 |
Daniel (hackie) wrote : | #10 |
Daniel (hackie) wrote : | #11 |
The attachment "Patch for lxc on top of f08fee55a1f0ca6
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]
tags: | added: patch |
Martin Pitt (pitti) wrote : | #13 |
Applied the udev.init change in http://
But in all cases the dominating and important thing here is initramfs-tools, where /dev is usually mounted.
Changed in systemd (Ubuntu): | |
status: | Triaged → Invalid |
Martin Pitt (pitti) wrote : | #14 |
Daniel, would you mind forwarding the initramfs-tools change to a Debian bug report?
Changed in initramfs-tools (Ubuntu): | |
importance: | Undecided → Wishlist |
status: | New → Triaged |
status: | Triaged → Fix Committed |
Changed in initramfs-tools (Ubuntu): | |
status: | Fix Committed → Triaged |
Martin Pitt (pitti) wrote : | #15 |
This also applies when booting systemd without an initramfs. NOSUID is already set, but not NOEXEC. I proposed that in https:/
Changed in systemd (Ubuntu): | |
status: | Invalid → In Progress |
Martin Pitt (pitti) wrote : | #16 |
Feedback from upstream at https:/
I committed http://
summary: |
- dev file system is mounted without noexec + dev file system is mounted without nosuid |
Changed in systemd (Ubuntu): | |
status: | In Progress → Invalid |
Changed in initramfs-tools (Ubuntu): | |
status: | Triaged → Fix Committed |
Launchpad Janitor (janitor) wrote : | #17 |
This bug was fixed in the package initramfs-tools - 0.120ubuntu4
---------------
initramfs-tools (0.120ubuntu4) wily; urgency=medium
* init: Mount /dev with "nosuid". Thanks "Daniel". (LP: #1450960)
-- Martin Pitt <email address hidden> Tue, 15 Sep 2015 07:20:43 +0200
Changed in initramfs-tools (Ubuntu): | |
status: | Fix Committed → Fix Released |
Serge Hallyn (serge-hallyn) wrote : | #18 |
I have no objection to the lxc patches, however I do have concerns that they could cause breakages, so we need to make sure all the testcases pass.
Launchpad Janitor (janitor) wrote : | #19 |
This bug was fixed in the package systemd - 227-2ubuntu1
---------------
systemd (227-2ubuntu1) xenial; urgency=medium
* Merge with Debian unstable. Remaining Ubuntu changes:
- Hack to support system-image read-only /etc, and modify files in
/
- Simpler udev maintainer scripts (all platforms must support udev, no
debconf).
- initramfs init-bottom: If LVM is installed, settle udev,
otherwise we get missing LV symlinks. Workaround for LP #1185394.
- Add debian/
dependencies to "lvm2" which is handled with udev rules in Ubuntu.
- Add debian/
script.
- Provide shutdown fallback for upstart. (LP: #1370329)
- debian/
really support "allow-hotplug" in Ubuntu at the moment, so we need to
deal with "auto" devices appearing after "/etc/init.
already ran. (LP: #1374521)
- ifup@.service: Drop dependency on networking.service (i. e.
/
This avoids unnecessary dependencies/
cycles if hooks wait for other interfaces to come up (like ifenslave
with bonding interfaces). (LP: #1414544)
- Add Get-RTC-
Ubuntu we currently keep the setting whether the RTC is in local or UTC
time in /etc/default/rcS "UTC=yes|no", instead of /etc/adjtime.
(LP: #1377258)
- networkd: Change IPForward= default to "kernel". This keeps
compatibility with lots of packages which expect to be able to
enable global forwarding in /proc/sys/
(LP: #1500992)
- Put session scopes into all cgroup controllers. This makes unprivileged
user LXC containers work under systemd. (LP: #1346734)
- Don't attempt to migrate pid 1 itself when migrating cgroups for started
units; works around some not yet understood cgproxy/systemd interaction.
This particularly unbreaks cgproxy in LXC. (LP: #1491557)
- Lower Breaks: to plymouth version which has the udev inotify fix in
Ubuntu.
- Change systemd-sysv's conflicts to upstart-sysv. (LP: #1422681)
- Don't build new systemd-
libmicroh
- Build using libseccomp on all architectures (See Debian #800818)
Upgrade fixes, keep until 16.04 LTS release:
- systemd Conflicts/
- Remove obsolete systemd-logind upstart job.
- Clean up obsolete /etc/udev/
- systemd.postinst: Migrate mountall specific fstab options to standard
util-linux "nofail" option.
- systemctl: Don't forward telinit u to upstart. This works around
upstart's Restart() always reexec'ing /sbin/init on Restart(), even if
that changes to point to systemd during the upgrade. This avoids running
systemd during a dist-upgrade. (LP: #1430479)
systemd (22...
Changed in systemd (Ubuntu): | |
status: | Invalid → Fix Released |
Status changed to 'Confirmed' because the bug affects multiple users.