on Tue, May 22, 2007 at 12:43:37AM +0200, Marco d'Itri ([EMAIL PROTECTED])
wrote:
> On May 22, "Karsten M. Self" <[EMAIL PROTECTED]> wrote:
>
> > Reviewing mount options for various real and virtual filesystems, I'm
> > wondering if it might be preferable to set the nosuid and possibly
> > noexec options for udev (obviously it cannot be made nodev ;-).
> This looks like security by obscurity.
No, it's security by principle of least privilege. Obscurity would be
hiding /dev under some random pathname.
There are a number of other mountpoints which have limited privileges
set. /proc was changed in 2006 (see Bug 378984) to protect against a
kernel /proc filesystem vulnerability noted July 19, 2006 at LWN:
http://lwn.net/Articles/191954/
> > There's a possible concern with mmap() and mprotect() for noexec
> > mounts, but restricting the ability to create suid files may be a
> > positive security measure.
> Can you provide a more compelling argument? Have you tried doing this on
> a large number of systems to check if something would break?
Turnabout's fair play: can you provide a compelling argument why we
*do* need to permit arbitrary creation of suid / exec files under udev?
One problem at present even for testing purposes is sorting where to
provide mount options within /etc/init.d/udev. I've defined
UDEV_MOUNTOPTS within the file (this should be in /etc/default/udev) and
modified the tmpfs mount line to read:
mount -n -o size=$tmpfs_size,mode=0755 -o $UDEV_MOUNTOPTS \
-t tmpfs tmpfs $udev_root
I'll report w/ any issues.
--
Karsten M. Self <[EMAIL PROTECTED]>
SFI / Cadence Design Systems
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
