Marking as triaged/wishlist for LXC, I can't think of a good reason not
to mount with nosuid so such a patch would still be welcome.

** Changed in: lxc (Ubuntu)
       Status: Confirmed => Triaged

You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.

  dev file system is mounted without nosuid

Status in initramfs-tools package in Ubuntu:
  Fix Released
Status in lxc package in Ubuntu:
Status in systemd package in Ubuntu:
  Fix Released

Bug description:
  I just found that the /dev filesystem of most Ubuntu system is mounted
  without noexec, nosuid etc options.

  If you do everything to harden your system, and you are using squashfs
  as root file system (which is read-only), such auto-mounted devices
  can be a serious leak.

  This volume usually is quite small and for most folders only root has
  write access, so I don't know how much this bug is security relevant,
  but I think there is no reason to not change the mount options for
  /dev. And especially for LXC containers, I don't even know a
  workaround to fix it.


  me:~# cat >/dev/ <<.e
  > #!/bin/sh
  > echo "I'm executable"
  > .e

  me:~# chmod +x /dev/

  me:~# /dev/
  I'm executable


  me:~# /dev/
  -bash: /dev/ Permission denied


  me:~# mount -oremount,noexec,nosuid /dev

  me:~# /dev/
  -bash: /dev/ Permission denied

  Unfortunately, this workaround doesn't work in LXC containers (where
  the same problem occurs) because of missing capabilities.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: udev 204-5ubuntu20.11
  ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17
  Uname: Linux 3.13.0-49-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.10
  Architecture: amd64
  CurrentDesktop: XFCE
  CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order 
/var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission 
  CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules
  Date: Sat May  2 01:48:26 2015
  MachineType: Gigabyte Technology Co., Ltd. H97-HD3
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic 
root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro
  SourcePackage: systemd
  UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) 06/26/2014
  dmi.bios.vendor: American Megatrends Inc.
  dmi.bios.version: F5
  dmi.board.asset.tag: To be filled by O.E.M. H97-HD3
  dmi.board.vendor: Gigabyte Technology Co., Ltd.
  dmi.board.version: x.x
  dmi.chassis.asset.tag: To Be Filled By O.E.M.
  dmi.chassis.type: 3
  dmi.chassis.vendor: Gigabyte Technology Co., Ltd.
  dmi.chassis.version: To Be Filled By O.E.M.
dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: H97-HD3
  dmi.product.version: To be filled by O.E.M.
  dmi.sys.vendor: Gigabyte Technology Co., Ltd.

To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to