Virtual filesystem mounts could use more restrictive mount options
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
initramfs-tools (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned | ||
sysvinit (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned | ||
udev (Ubuntu) |
Invalid
|
Wishlist
|
Unassigned |
Bug Description
After reading about a recent root exploit that used the /proc filesystem and could have been stopped by applying restrictive permissions to the filesystem I decided to check my ubuntu machine.
All the filesystems set up by ubuntu itself (/dev, /proc, /sys, /var/run, /var/lock, etc.) are mounted rw by default. This is a potential security risk that can be fixed by adding a couple of lines to /etc/fstab!
My fstab reads like this now:
# kernel FS:
proc /proc proc nodev,noexec,nosuid 0 0
sysfs /sys sys nodev,noexec,nosuid 0 0
udev /dev tmpfs nosuid 0 0
varrun /var/run tmpfs nodev,noexec,nosuid 0 0
varlock /var/lock tmps nodev,noexec,nosuid 0 0
/dev/shm and /dev/pts could probably do with a noexec,nosuid as well, but I am not sure enough to add those at the moment;-)
The linux-restricte
You might want to think about adding more restrictive permissions to user-created filesystems by default as well.
Eg. /home works fine with nosuid and stops users from storing stolen root shells;-)
All this can be easily done by editing /etc/fstab, but ubuntu is about being secure by default, so a user should not need to do that himself IMHO.
Changed in debian-installer: | |
importance: | Untriaged → Wishlist |
Changed in sysvinit: | |
importance: | Untriaged → Wishlist |
status: | Unconfirmed → Confirmed |
Changed in udev: | |
importance: | Untriaged → Wishlist |
status: | Unconfirmed → Confirmed |
Indeed this sounds like an unintrusive, but effective change. We should confine this to new installs, though.