Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel

2024-11-18 Thread Roger Lynn
On 18/11/2024 17:23, Kevin Chadwick  wrote:
> My mail server seems to be declined connection by hindley.org.uk and the 
> debian
> bug list. Quite odd. I have no idea why and we have no issues elsewhere.

I am inferring that you have no problem with me quoting you in public.

>>> Hi Debian Security Team,
>>>
>>> Could I have your input on this please? An old bug has been reopened asking 
>>> for
>>> initscripts to mount debugfs by default. It was closed for several years, 
>>> but
>>> the workaround has now disappeared.
>>>
>>> In the original thread, concerns were raised about mounting debugfs in all 
>>> cases
>>> both for security and unnecessary resource usage[1].  Those have been 
>>> expressed
>>> again now.
>> We hat short discussion about it our weekly Kernel team meeting, and
>> should be noted that systemd does that already. We do not see an
>> direct problem to do it as it is restricted to root.
>> 
>> https://meetbot.debian.net/debian-kernel/2024/debian-kernel.2024-11-13-20.00.html
> 
> If the kernel documentation says it should not be mounted by default then why 
> is
> systemd doing so?
> 
> I believe the kernel devs said that userland shouldn't be building upon it and
> that is a reason not to enable it by default. It makes much more sense to me 
> for
> a commented out line to be placed in /etc/fstab?
> 
> As for security. Ideally if it wasn't enabled at boot up then root shouldn't 
> be
> able to mount it. The kernel has powers over root after all.
> 
> Kernel lockdown disables access for security reasons, so what does a user that
> wants hibernate to work on an encrypted system but keep the system as secure 
> as
> possible do? Linux needs to do better here and not worse, IMO.

These are all good points. One resulting question is, why does rasdaemon
need debugfs in the first place? Do the rasdaemon developers want access to
information that the kernel developers think they shouldn't need?

And having briefly looked at the lockdown documentation, I am surprised that
adding debugfs to my fstab has worked, as my kernel claims to be locked down.

Regards,

Roger



Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel

2024-11-16 Thread Salvatore Bonaccorso
Hi,

On Mon, Nov 11, 2024 at 07:19:40PM +, Mark Hindley wrote:
> Hi Debian Security Team,
> 
> Could I have your input on this please? An old bug has been reopened asking 
> for
> initscripts to mount debugfs by default. It was closed for several years, but
> the workaround has now disappeared.
> 
> In the original thread, concerns were raised about mounting debugfs in all 
> cases
> both for security and unnecessary resource usage[1].  Those have been 
> expressed
> again now.

We hat short discussion about it our weekly Kernel team meeting, and
should be noted that systemd does that already. We do not see an
direct problem to do it as it is restricted to root.

https://meetbot.debian.net/debian-kernel/2024/debian-kernel.2024-11-13-20.00.html

Regards,
Salvatore



Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel

2024-11-11 Thread Roger Lynn
I think this reply has been somewhat overtaken by others, but I'll send it
anyway.

On 08/11/2024 11:04, Mark Hindley wrote:
> Reading the original thread, I share some of the concerns[1] about enabling 
> this
> globally.
> 
> Are these still valid?

I don't know. I was going from the fact that it is now apparently enabled by
default in systemd, so I assumed it can't be all that bad, and while it
might not be a good idea, it does put pressure on other init systems to
follow suit. I agree with what Thorsten Glaser has written in his reply and
if debugfs is problematic then it shouldn't be enabled by default anywhere.

Part of the problem seems to lie with rasdaemon, which relies on a system of
doubtful security being enabled just to read information about errors from
ECC memory, but doesn't provide any instructions on how to enable it
yourself. Doing this is simple enough once you've found out how, and I now
have the following in /etc/fstab:

debugfs /sys/kernel/debug   debugfs defaults0   0

But I don't know how ill-advised that is from a security standpoint.

Thanks for looking into this,

Roger


> [1]  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539352#18



Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel

2024-11-11 Thread Mark Hindley
Hi Debian Security Team,

Could I have your input on this please? An old bug has been reopened asking for
initscripts to mount debugfs by default. It was closed for several years, but
the workaround has now disappeared.

In the original thread, concerns were raised about mounting debugfs in all cases
both for security and unnecessary resource usage[1].  Those have been expressed
again now.

On Sat, Nov 09, 2024 at 12:38:30AM +0100, Thorsten Glaser wrote:
> On Fri, 8 Nov 2024, Mark Hindley wrote:
> 
> >Reading the original thread, I share some of the concerns[1] about
> >enabling this globally.
> 
> I’ve recently worked with debugfs+relayfs in a project,
> and I share the opinion of the kernel documentation that
> it should not be enabled by default (or rather, it should
> not be mounted by default in this case — enabling in the
> kernels is probably good).

Do you have any input into whether these concerns are sufficiently well founded?

Thanks for your help.

Mark

[1]  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539352#18



Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel

2024-11-11 Thread Mark Hindley
Hi Debian Security Team,

Could I have your input on this please? An old bug has been reopened asking for
initscripts to mount debugfs by default. It was closed for several years, but
the workaround has now disappeared.

In the original thread, concerns were raised about mounting debugfs in all cases
both for security and unnecessary resource usage[1].  Those have been expressed
again now.

On Sat, Nov 09, 2024 at 12:38:30AM +0100, Thorsten Glaser wrote:
> On Fri, 8 Nov 2024, Mark Hindley wrote:
> 
> >Reading the original thread, I share some of the concerns[1] about
> >enabling this globally.
> 
> I’ve recently worked with debugfs+relayfs in a project,
> and I share the opinion of the kernel documentation that
> it should not be enabled by default (or rather, it should
> not be mounted by default in this case — enabling in the
> kernels is probably good).

Do you have any input into whether these concerns are sufficiently well founded?

Thanks for your help.

Mark

[1]  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539352#18



Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel

2024-11-08 Thread Thorsten Glaser
On Fri, 8 Nov 2024, Mark Hindley wrote:

>Reading the original thread, I share some of the concerns[1] about
>enabling this globally.

I’ve recently worked with debugfs+relayfs in a project,
and I share the opinion of the kernel documentation that
it should not be enabled by default (or rather, it should
not be mounted by default in this case — enabling in the
kernels is probably good).

However, if the other thing mounts it by default, that will
cause unnecessary friction we would do best to avoid.

I’d suggest asking the security team about this and then
adjust either initscripts or the other thingy to match.

bye,
//mirabilos
-- 
22:20⎜ The crazy that persists in his craziness becomes a master
22:21⎜ And the distance between the craziness and geniality is
only measured by the success 18:35⎜ "Psychotics are consistently
inconsistent. The essence of sanity is to be inconsistently inconsistent



Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel

2024-11-08 Thread Mark Hindley
Roger,

Thanks for this.

Reading the original thread, I share some of the concerns[1] about enabling this
globally.

Are these still valid?

Mark

[1]  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539352#18



Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel

2024-11-06 Thread Roger Lynn
Package: initscripts
Version: 3.06-4
Followup-For: Bug #539352
Control: reopen 539352

Hi,

Debugfs is apparently now mounted by systemd and not blktrace[0], so the
bodge of installing an unrelated package solely for its side effect of
mounting debugfs no longer works. As a result packages such as rasdaemon
fail to start under sysvinit.[1]

Please reconsider mounting debugfs.

Thanks,

Roger

[0] https://bugs.debian.org/968357
[1] https://bugs.debian.org/981631

-- System Information:
Debian Release: 12.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.10.11+bpo-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages initscripts depends on:
ii  sysv-rc 3.06-4
ii  sysvinit-utils  3.06-4

Versions of packages initscripts recommends:
ii  e2fsprogs  1.47.0-2
ii  psmisc 23.6-1

initscripts suggests no packages.

-- no debconf information



Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel

2009-08-16 Thread Josh Triplett
On Sun, Aug 16, 2009 at 09:23:30PM +0200, Petter Reinholdtsen wrote:
> Note that the blktrace package provide a mountdebugfs init.d script
> which seem to solve this problem.  Perhaps it should be made a common
> solution for all those needing debugfs mounted?

Yeah, a debugfs-common package seems pretty sensible.

- Josh Triplett



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel

2009-08-16 Thread Petter Reinholdtsen
Note that the blktrace package provide a mountdebugfs init.d script
which seem to solve this problem.  Perhaps it should be made a common
solution for all those needing debugfs mounted?

Happy hacking,
-- 
Petter Reinholdtsen



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#539352: [Pkg-sysvinit-devel] Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel

2009-08-02 Thread Henrique de Moraes Holschuh
On Sat, 01 Aug 2009, Josh Triplett wrote:
> On Fri, Jul 31, 2009 at 11:33:28PM +0200, Petter Reinholdtsen wrote:
> > [Josh Triplett]
> > > Please consider automatically mounting debugfs on /sys/kernel/debug
> > > when available.
> > 
> > Why should this be done in the init.d scripts installed on each Debian
> > system, and not in some special package handling debugfs?  What is
> > debugfs and who is using it?
> 
> debugfs provides an interface to in-kernel tracing and debugging
> facilities.  The Debian kernels have debugfs available.  Various

Eh?  It is supposed to provide an interface to in-kernel *KERNEL* debugging
facilities.  It is NOT covered by the stable kernel-userspace ABI rules (in
fact, debugfs is the only thing that isn't covered by those rules), and we
(userspace distros) *REALLY* want to make a major pest of ourselves to
anyone trying to abuse debugfs in kernel-land to avoid doing his interface
design properly on sysfs, relayfs, /dev, or using netlink...

> subsystems have debugfs interfaces, including ftrace, usbmon, dri, kvm,
> and wireless.

IMHO, we should support it, yes.  In /etc/fstab but using "noauto".

> I'd suggest mounting debugfs by default because doing so will allow
> tracing tools like sysprof (packaged in Debian) and trace-cmd to work
> without additional configuration.  Mounting debugfs does not entail any
> overhead apart from the time for one call to mount.

Are you sure?  It should at least waste some memory for inodes and other
crap.  It is also the sort of thing one would *expect* to often disclose a
lot more information about devices, device drivers, etc.  And also to have
people be even less careful about security issues than normal.  I *wouldn't*
like it mounted with anything but mode 0700 on any system of mine, and I'd
rather not have it mounted at all.

> Note that /etc/fstab seems like the *wrong* place to mount debugfs,
> because that would generate an error if booting a kernel without
> debugfs, and because that would require additional configuration before
> packages using debugfs would work.

It generates no errors if you give it the "noauto" option ;-)

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel

2009-08-01 Thread Josh Triplett
On Fri, Jul 31, 2009 at 11:33:28PM +0200, Petter Reinholdtsen wrote:
> [Josh Triplett]
> > Please consider automatically mounting debugfs on /sys/kernel/debug
> > when available.
> 
> Why should this be done in the init.d scripts installed on each Debian
> system, and not in some special package handling debugfs?  What is
> debugfs and who is using it?

debugfs provides an interface to in-kernel tracing and debugging
facilities.  The Debian kernels have debugfs available.  Various
subsystems have debugfs interfaces, including ftrace, usbmon, dri, kvm,
and wireless.

I'd suggest mounting debugfs by default because doing so will allow
tracing tools like sysprof (packaged in Debian) and trace-cmd to work
without additional configuration.  Mounting debugfs does not entail any
overhead apart from the time for one call to mount.

mountkernfs already mounts other kernel filesystems, so it seemed like
the right place to mount debugfs.  Obviously a debugfs-common package
could do the same thing, and packages which want to have debugfs enabled
by default could depend on that; on the other hand, it seems somewhat
silly to have a package for a five-line init script.

Note that /etc/fstab seems like the *wrong* place to mount debugfs,
because that would generate an error if booting a kernel without
debugfs, and because that would require additional configuration before
packages using debugfs would work.

- Josh Triplett



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel

2009-07-31 Thread Petter Reinholdtsen
[Josh Triplett]
> Please consider automatically mounting debugfs on /sys/kernel/debug
> when available.

Why should this be done in the init.d scripts installed on each Debian
system, and not in some special package handling debugfs?  What is
debugfs and who is using it?

Happy hacking,
-- 
Petter Reinholdtsen



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel

2009-07-30 Thread Josh Triplett
Package: initscripts
Version: 2.86.ds1-65
Severity: wishlist
File: /etc/init.d/mountkernfs.sh

Please consider automatically mounting debugfs on /sys/kernel/debug when
available.  Adding the following code to /etc/init.d/mountkernfs.sh,
after the mount of sysfs, will do that:

if grep -E -qs "debugfs\$" /proc/filesystems && [ -d /sys/kernel/debug ]
then
domount debugfs "" /sys/kernel/debug debugfs 
-onodev,noexec,nosuid
fi

- Josh Triplett

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.31-rc4 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages initscripts depends on:
ii  debianutils 3.2  Miscellaneous utilities specific t
ii  libc6   2.9-12   GNU C Library: Shared libraries
ii  lsb-base3.2-22   Linux Standard Base 3.2 init scrip
ii  mount   2.15.1~rc1-1 Tools for mounting and manipulatin
ii  sysvinit-utils  2.86.ds1-65  System-V-like utilities

Versions of packages initscripts recommends:
ii  e2fsprogs 1.41.3-1   ext2/ext3/ext4 file system utiliti
ii  psmisc22.7-1 utilities that use the proc file s

initscripts suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org