Comment 16 for bug 54530
Revision history for this message
| Scott James Remnant (Canonical) (canonical-scott) wrote Re: [Bug 54530] Re: Virtual filesystem mounts could use more restrictive mount options | #16 |
On Wed, 2006-08-09 at 07:01 +0000, Martin Pitt wrote:
> Tobias, I have some questions about /usr/share/
> patch:
>
> -mount -t sysfs none /sys
> -mount -t proc none /proc
> +mount -n -t sysfs -onodev,
> +mount -n -t proc -onodev,
>
> Why did you add -n? /sys and /proc are in /etc/mtab for me. However, at
> that point / should be readonly.
>
No, at that point / is a memory filesystem (the initramfs) so it doesn't
make much of a difference whether -n is there or not because it's thrown
away at run-init time.
I would take out the "-n" to make debugging the initramfs easier (ie.
mtab makes sense there).
I'm not really sure what the point of the extra option is though; this
is a kernel virtual filesystem, it doesn't respect those options ANYWAY!
If the kernel wants to stick a setuid root binary, or device, in /proc;
a few mount options isn't going to stop it.
> -mount -t tmpfs -o size=$tmpfs_
> -> /dev/.initramfs
> +mount -n -t tmpfs -o size=$tmpfs_
> +# > /dev/.initramfs
>
Again the "-n" makes no sense, neither does the
"> /dev/.initramfs
Why noexec or nosuid? I could understand being paranoid, but only root
can create files in /dev anyway.
Scott
--
Scott James Remnant
<email address hidden>