Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel
On 18/11/2024 17:23, Kevin Chadwick wrote: > My mail server seems to be declined connection by hindley.org.uk and the > debian > bug list. Quite odd. I have no idea why and we have no issues elsewhere. I am inferring that you have no problem with me quoting you in public. >>> Hi Debian Security Team, >>> >>> Could I have your input on this please? An old bug has been reopened asking >>> for >>> initscripts to mount debugfs by default. It was closed for several years, >>> but >>> the workaround has now disappeared. >>> >>> In the original thread, concerns were raised about mounting debugfs in all >>> cases >>> both for security and unnecessary resource usage[1]. Those have been >>> expressed >>> again now. >> We hat short discussion about it our weekly Kernel team meeting, and >> should be noted that systemd does that already. We do not see an >> direct problem to do it as it is restricted to root. >> >> https://meetbot.debian.net/debian-kernel/2024/debian-kernel.2024-11-13-20.00.html > > If the kernel documentation says it should not be mounted by default then why > is > systemd doing so? > > I believe the kernel devs said that userland shouldn't be building upon it and > that is a reason not to enable it by default. It makes much more sense to me > for > a commented out line to be placed in /etc/fstab? > > As for security. Ideally if it wasn't enabled at boot up then root shouldn't > be > able to mount it. The kernel has powers over root after all. > > Kernel lockdown disables access for security reasons, so what does a user that > wants hibernate to work on an encrypted system but keep the system as secure > as > possible do? Linux needs to do better here and not worse, IMO. These are all good points. One resulting question is, why does rasdaemon need debugfs in the first place? Do the rasdaemon developers want access to information that the kernel developers think they shouldn't need? And having briefly looked at the lockdown documentation, I am surprised that adding debugfs to my fstab has worked, as my kernel claims to be locked down. Regards, Roger
Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel
Hi, On Mon, Nov 11, 2024 at 07:19:40PM +, Mark Hindley wrote: > Hi Debian Security Team, > > Could I have your input on this please? An old bug has been reopened asking > for > initscripts to mount debugfs by default. It was closed for several years, but > the workaround has now disappeared. > > In the original thread, concerns were raised about mounting debugfs in all > cases > both for security and unnecessary resource usage[1]. Those have been > expressed > again now. We hat short discussion about it our weekly Kernel team meeting, and should be noted that systemd does that already. We do not see an direct problem to do it as it is restricted to root. https://meetbot.debian.net/debian-kernel/2024/debian-kernel.2024-11-13-20.00.html Regards, Salvatore
Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel
I think this reply has been somewhat overtaken by others, but I'll send it anyway. On 08/11/2024 11:04, Mark Hindley wrote: > Reading the original thread, I share some of the concerns[1] about enabling > this > globally. > > Are these still valid? I don't know. I was going from the fact that it is now apparently enabled by default in systemd, so I assumed it can't be all that bad, and while it might not be a good idea, it does put pressure on other init systems to follow suit. I agree with what Thorsten Glaser has written in his reply and if debugfs is problematic then it shouldn't be enabled by default anywhere. Part of the problem seems to lie with rasdaemon, which relies on a system of doubtful security being enabled just to read information about errors from ECC memory, but doesn't provide any instructions on how to enable it yourself. Doing this is simple enough once you've found out how, and I now have the following in /etc/fstab: debugfs /sys/kernel/debug debugfs defaults0 0 But I don't know how ill-advised that is from a security standpoint. Thanks for looking into this, Roger > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539352#18
Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel
Hi Debian Security Team, Could I have your input on this please? An old bug has been reopened asking for initscripts to mount debugfs by default. It was closed for several years, but the workaround has now disappeared. In the original thread, concerns were raised about mounting debugfs in all cases both for security and unnecessary resource usage[1]. Those have been expressed again now. On Sat, Nov 09, 2024 at 12:38:30AM +0100, Thorsten Glaser wrote: > On Fri, 8 Nov 2024, Mark Hindley wrote: > > >Reading the original thread, I share some of the concerns[1] about > >enabling this globally. > > I’ve recently worked with debugfs+relayfs in a project, > and I share the opinion of the kernel documentation that > it should not be enabled by default (or rather, it should > not be mounted by default in this case — enabling in the > kernels is probably good). Do you have any input into whether these concerns are sufficiently well founded? Thanks for your help. Mark [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539352#18
Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel
Hi Debian Security Team, Could I have your input on this please? An old bug has been reopened asking for initscripts to mount debugfs by default. It was closed for several years, but the workaround has now disappeared. In the original thread, concerns were raised about mounting debugfs in all cases both for security and unnecessary resource usage[1]. Those have been expressed again now. On Sat, Nov 09, 2024 at 12:38:30AM +0100, Thorsten Glaser wrote: > On Fri, 8 Nov 2024, Mark Hindley wrote: > > >Reading the original thread, I share some of the concerns[1] about > >enabling this globally. > > I’ve recently worked with debugfs+relayfs in a project, > and I share the opinion of the kernel documentation that > it should not be enabled by default (or rather, it should > not be mounted by default in this case — enabling in the > kernels is probably good). Do you have any input into whether these concerns are sufficiently well founded? Thanks for your help. Mark [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539352#18
Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel
On Fri, 8 Nov 2024, Mark Hindley wrote: >Reading the original thread, I share some of the concerns[1] about >enabling this globally. I’ve recently worked with debugfs+relayfs in a project, and I share the opinion of the kernel documentation that it should not be enabled by default (or rather, it should not be mounted by default in this case — enabling in the kernels is probably good). However, if the other thing mounts it by default, that will cause unnecessary friction we would do best to avoid. I’d suggest asking the security team about this and then adjust either initscripts or the other thingy to match. bye, //mirabilos -- 22:20⎜ The crazy that persists in his craziness becomes a master 22:21⎜ And the distance between the craziness and geniality is only measured by the success 18:35⎜ "Psychotics are consistently inconsistent. The essence of sanity is to be inconsistently inconsistent
Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel
Roger, Thanks for this. Reading the original thread, I share some of the concerns[1] about enabling this globally. Are these still valid? Mark [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539352#18
Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel
Package: initscripts Version: 3.06-4 Followup-For: Bug #539352 Control: reopen 539352 Hi, Debugfs is apparently now mounted by systemd and not blktrace[0], so the bodge of installing an unrelated package solely for its side effect of mounting debugfs no longer works. As a result packages such as rasdaemon fail to start under sysvinit.[1] Please reconsider mounting debugfs. Thanks, Roger [0] https://bugs.debian.org/968357 [1] https://bugs.debian.org/981631 -- System Information: Debian Release: 12.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.10.11+bpo-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages initscripts depends on: ii sysv-rc 3.06-4 ii sysvinit-utils 3.06-4 Versions of packages initscripts recommends: ii e2fsprogs 1.47.0-2 ii psmisc 23.6-1 initscripts suggests no packages. -- no debconf information
Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel
On Sun, Aug 16, 2009 at 09:23:30PM +0200, Petter Reinholdtsen wrote: > Note that the blktrace package provide a mountdebugfs init.d script > which seem to solve this problem. Perhaps it should be made a common > solution for all those needing debugfs mounted? Yeah, a debugfs-common package seems pretty sensible. - Josh Triplett -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel
Note that the blktrace package provide a mountdebugfs init.d script which seem to solve this problem. Perhaps it should be made a common solution for all those needing debugfs mounted? Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#539352: [Pkg-sysvinit-devel] Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel
On Sat, 01 Aug 2009, Josh Triplett wrote: > On Fri, Jul 31, 2009 at 11:33:28PM +0200, Petter Reinholdtsen wrote: > > [Josh Triplett] > > > Please consider automatically mounting debugfs on /sys/kernel/debug > > > when available. > > > > Why should this be done in the init.d scripts installed on each Debian > > system, and not in some special package handling debugfs? What is > > debugfs and who is using it? > > debugfs provides an interface to in-kernel tracing and debugging > facilities. The Debian kernels have debugfs available. Various Eh? It is supposed to provide an interface to in-kernel *KERNEL* debugging facilities. It is NOT covered by the stable kernel-userspace ABI rules (in fact, debugfs is the only thing that isn't covered by those rules), and we (userspace distros) *REALLY* want to make a major pest of ourselves to anyone trying to abuse debugfs in kernel-land to avoid doing his interface design properly on sysfs, relayfs, /dev, or using netlink... > subsystems have debugfs interfaces, including ftrace, usbmon, dri, kvm, > and wireless. IMHO, we should support it, yes. In /etc/fstab but using "noauto". > I'd suggest mounting debugfs by default because doing so will allow > tracing tools like sysprof (packaged in Debian) and trace-cmd to work > without additional configuration. Mounting debugfs does not entail any > overhead apart from the time for one call to mount. Are you sure? It should at least waste some memory for inodes and other crap. It is also the sort of thing one would *expect* to often disclose a lot more information about devices, device drivers, etc. And also to have people be even less careful about security issues than normal. I *wouldn't* like it mounted with anything but mode 0700 on any system of mine, and I'd rather not have it mounted at all. > Note that /etc/fstab seems like the *wrong* place to mount debugfs, > because that would generate an error if booting a kernel without > debugfs, and because that would require additional configuration before > packages using debugfs would work. It generates no errors if you give it the "noauto" option ;-) -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel
On Fri, Jul 31, 2009 at 11:33:28PM +0200, Petter Reinholdtsen wrote: > [Josh Triplett] > > Please consider automatically mounting debugfs on /sys/kernel/debug > > when available. > > Why should this be done in the init.d scripts installed on each Debian > system, and not in some special package handling debugfs? What is > debugfs and who is using it? debugfs provides an interface to in-kernel tracing and debugging facilities. The Debian kernels have debugfs available. Various subsystems have debugfs interfaces, including ftrace, usbmon, dri, kvm, and wireless. I'd suggest mounting debugfs by default because doing so will allow tracing tools like sysprof (packaged in Debian) and trace-cmd to work without additional configuration. Mounting debugfs does not entail any overhead apart from the time for one call to mount. mountkernfs already mounts other kernel filesystems, so it seemed like the right place to mount debugfs. Obviously a debugfs-common package could do the same thing, and packages which want to have debugfs enabled by default could depend on that; on the other hand, it seems somewhat silly to have a package for a five-line init script. Note that /etc/fstab seems like the *wrong* place to mount debugfs, because that would generate an error if booting a kernel without debugfs, and because that would require additional configuration before packages using debugfs would work. - Josh Triplett -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel
[Josh Triplett] > Please consider automatically mounting debugfs on /sys/kernel/debug > when available. Why should this be done in the init.d scripts installed on each Debian system, and not in some special package handling debugfs? What is debugfs and who is using it? Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel
Package: initscripts Version: 2.86.ds1-65 Severity: wishlist File: /etc/init.d/mountkernfs.sh Please consider automatically mounting debugfs on /sys/kernel/debug when available. Adding the following code to /etc/init.d/mountkernfs.sh, after the mount of sysfs, will do that: if grep -E -qs "debugfs\$" /proc/filesystems && [ -d /sys/kernel/debug ] then domount debugfs "" /sys/kernel/debug debugfs -onodev,noexec,nosuid fi - Josh Triplett -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.31-rc4 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages initscripts depends on: ii debianutils 3.2 Miscellaneous utilities specific t ii libc6 2.9-12 GNU C Library: Shared libraries ii lsb-base3.2-22 Linux Standard Base 3.2 init scrip ii mount 2.15.1~rc1-1 Tools for mounting and manipulatin ii sysvinit-utils 2.86.ds1-65 System-V-like utilities Versions of packages initscripts recommends: ii e2fsprogs 1.41.3-1 ext2/ext3/ext4 file system utiliti ii psmisc22.7-1 utilities that use the proc file s initscripts suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org