Marking as triaged/wishlist for LXC, I can't think of a good reason not to mount with nosuid so such a patch would still be welcome.
** Changed in: lxc (Ubuntu) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without nosuid Status in initramfs-tools package in Ubuntu: Fix Released Status in lxc package in Ubuntu: Triaged Status in systemd package in Ubuntu: Fix Released Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat >/dev/call-me.sh <<.e > #!/bin/sh > echo "I'm executable" > .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : email@example.com Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp