That's not really true. On my system for example, the directory /dev/vboxusb/ exists with permissions
drwxr-x--- 4 root vboxusers 80 Mai 4 09:09 /dev/vboxusb/ So all users which are in group vboxusers can write to this sub- directory. I'm sure there are more cases like this... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec Status in lxc package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Triaged Bug description: I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options. If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak. This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it. STEPS TO REPRODUCE: me:~# cat >/dev/call-me.sh <<.e > #!/bin/sh > echo "I'm executable" > .e me:~# chmod +x /dev/call-me.sh me:~# /dev/call-me.sh I'm executable EXPECTED BEHAVIOUR me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied WORKAROUND me:~# mount -oremount,noexec,nosuid /dev me:~# /dev/call-me.sh -bash: /dev/call-me.sh: Permission denied Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: udev 204-5ubuntu20.11 ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17 Uname: Linux 3.13.0-49-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.10 Architecture: amd64 CurrentDesktop: XFCE CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules Date: Sat May 2 01:48:26 2015 MachineType: Gigabyte Technology Co., Ltd. H97-HD3 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro SourcePackage: systemd UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago) dmi.bios.date: 06/26/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: F5 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H97-HD3 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.: dmi.product.name: H97-HD3 dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
