On 18/11/2024 17:23, Kevin Chadwick <kc-dev...@chadwicks.me.uk> wrote:
> My mail server seems to be declined connection by hindley.org.uk and the 
> debian
> bug list. Quite odd. I have no idea why and we have no issues elsewhere.

I am inferring that you have no problem with me quoting you in public.

>>> Hi Debian Security Team,
>>>
>>> Could I have your input on this please? An old bug has been reopened asking 
>>> for
>>> initscripts to mount debugfs by default. It was closed for several years, 
>>> but
>>> the workaround has now disappeared.
>>>
>>> In the original thread, concerns were raised about mounting debugfs in all 
>>> cases
>>> both for security and unnecessary resource usage[1].  Those have been 
>>> expressed
>>> again now.
>> We hat short discussion about it our weekly Kernel team meeting, and
>> should be noted that systemd does that already. We do not see an
>> direct problem to do it as it is restricted to root.
>> 
>> https://meetbot.debian.net/debian-kernel/2024/debian-kernel.2024-11-13-20.00.html
> 
> If the kernel documentation says it should not be mounted by default then why 
> is
> systemd doing so?
> 
> I believe the kernel devs said that userland shouldn't be building upon it and
> that is a reason not to enable it by default. It makes much more sense to me 
> for
> a commented out line to be placed in /etc/fstab?
> 
> As for security. Ideally if it wasn't enabled at boot up then root shouldn't 
> be
> able to mount it. The kernel has powers over root after all.
> 
> Kernel lockdown disables access for security reasons, so what does a user that
> wants hibernate to work on an encrypted system but keep the system as secure 
> as
> possible do? Linux needs to do better here and not worse, IMO.

These are all good points. One resulting question is, why does rasdaemon
need debugfs in the first place? Do the rasdaemon developers want access to
information that the kernel developers think they shouldn't need?

And having briefly looked at the lockdown documentation, I am surprised that
adding debugfs to my fstab has worked, as my kernel claims to be locked down.

Regards,

Roger

Reply via email to