dev file system is mounted without nosuid

Status changed to 'Confirmed' because the bug affects multiple users.

/dev/ is only writable for root and noexec is fairly useless to be honest, but adding nosuid might be a nice little improvement. /dev/pts and /dev/shm have restricted mount options as well, after all.

That's not really true. On my system for example, the directory /dev/vboxusb/ exists with permissions

drwxr-x--- 4 root vboxusers 80 Mai 4 09:09 /dev/vboxusb/

So all users which are in group vboxusers can write to this sub-directory. I'm sure there are more cases like this...

Ok, my fault. No write permission for the group.

But anyway, I think there is no reason to not use both nosuid and noexec

Try this:

onlyauser@mymachine:~$ cat >/dev/.lxc/user/call-me.sh <<.e
> #!/bin/sh
> echo "I'm executable"
> .e
onlyauser@mymachine:~$ chmod +x /dev/.lxc/user/call-me.sh
onlyauser@mymachine:~$ /dev/.lxc/user/call-me.sh
I'm executable

The attachment "Patch for lxc on top of f08fee55a1f0ca62c2c97a2d2fd5ef1d7fbae8ee. Solves the issue in the container, NOT /dev/.lxc on the host" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Applied the udev.init change in http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=63dff1e2132b for Debian. But it is totally irrelevant for Ubuntu, as we don't support SysV init. Under upstart /etc/init/udev does not do any mounting, it relies on mountall to do that, thus this needs to be added to /lib/init/fstab. systemd already mounts it with MS_NOSUID (but not with MS_NOEXEC).

But in all cases the dominating and important thing here is initramfs-tools, where /dev is usually mounted.

Daniel, would you mind forwarding the initramfs-tools change to a Debian bug report?

This also applies when booting systemd without an initramfs. NOSUID is already set, but not NOEXEC. I proposed that in https://github.com/systemd/systemd/pull/1265

Feedback from upstream at https://github.com/systemd/systemd/pull/1265 : Apparently noexec on /dev breaks some drivers which expose memory-mapped devices in /dev/. So retitling for "nosuid" only. systemd already does that, initramfs-tools doesn't yet, but the attached patch needs to be modified to only set "nosuid".

I committed http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=470c174f so that under sysvinit and without initramfs-tools udev will now mount /dev with "nosuid" as well. This case doesn't apply to Ubuntu, so once again closing the systemd task.

This bug was fixed in the package initramfs-tools - 0.120ubuntu4

---------------
initramfs-tools (0.120ubuntu4) wily; urgency=medium

  * init: Mount /dev with "nosuid". Thanks "Daniel". (LP: #1450960)

 -- Martin Pitt <email address hidden> Tue, 15 Sep 2015 07:20:43 +0200

I have no objection to the lxc patches, however I do have concerns that they could cause breakages, so we need to make sure all the testcases pass.

This bug was fixed in the package systemd - 227-2ubuntu1

---------------
systemd (227-2ubuntu1) xenial; urgency=medium

  * Merge with Debian unstable. Remaining Ubuntu changes:
    - Hack to support system-image read-only /etc, and modify files in
      /etc/writable/ instead.
    - Simpler udev maintainer scripts (all platforms must support udev, no
      debconf).
    - initramfs init-bottom: If LVM is installed, settle udev,
      otherwise we get missing LV symlinks. Workaround for LP #1185394.
    - Add debian/udev.lvm2.init: Dummy SysV init script to satisfy insserv
      dependencies to "lvm2" which is handled with udev rules in Ubuntu.
    - Add debian/udev.lvm2.service to avoid running the dummy lvm2 init
      script.
    - Provide shutdown fallback for upstart. (LP: #1370329)
    - debian/extra/ifup@.service: Additionally run for "auto" class. We don't
      really support "allow-hotplug" in Ubuntu at the moment, so we need to
      deal with "auto" devices appearing after "/etc/init.d/networking start"
      already ran. (LP: #1374521)
    - ifup@.service: Drop dependency on networking.service (i. e.
      /etc/init.d/networking), and merely ensure that /run/network exists.
      This avoids unnecessary dependencies/waiting during boot and dependency
      cycles if hooks wait for other interfaces to come up (like ifenslave
      with bonding interfaces). (LP: #1414544)
    - Add Get-RTC-is-in-local-time-setting-from-etc-default-rc.patch: In
      Ubuntu we currently keep the setting whether the RTC is in local or UTC
      time in /etc/default/rcS "UTC=yes|no", instead of /etc/adjtime.
      (LP: #1377258)
    - networkd: Change IPForward= default to "kernel". This keeps
      compatibility with lots of packages which expect to be able to
      enable global forwarding in /proc/sys/net/ipv4/ip_forward.
      (LP: #1500992)
    - Put session scopes into all cgroup controllers. This makes unprivileged
      user LXC containers work under systemd. (LP: #1346734)
    - Don't attempt to migrate pid 1 itself when migrating cgroups for started
      units; works around some not yet understood cgproxy/systemd interaction.
      This particularly unbreaks cgproxy in LXC. (LP: #1491557)
    - Lower Breaks: to plymouth version which has the udev inotify fix in
      Ubuntu.
    - Change systemd-sysv's conflicts to upstart-sysv. (LP: #1422681)
    - Don't build new systemd-journal-remote package and drop
      libmicrohttpd-dev. This is blocked by the MIR (LP #1488341).
    - Build using libseccomp on all architectures (See Debian #800818)

    Upgrade fixes, keep until 16.04 LTS release:
    - systemd Conflicts/Replaces/Provides systemd-services.
    - Remove obsolete systemd-logind upstart job.
    - Clean up obsolete /etc/udev/rules.d/README.
    - systemd.postinst: Migrate mountall specific fstab options to standard
      util-linux "nofail" option.
    - systemctl: Don't forward telinit u to upstart. This works around
      upstart's Restart() always reexec'ing /sbin/init on Restart(), even if
      that changes to point to systemd during the upgrade. This avoids running
      systemd during a dist-upgrade. (LP: #1430479)

systemd (22...

Marking as triaged/wishlist for LXC, I can't think of a good reason not to mount with nosuid so such a patch would still be welcome.