dev file system is mounted without nosuid
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
initramfs-tools (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned | ||
lxc (Ubuntu) |
Triaged
|
Wishlist
|
Unassigned | ||
systemd (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
I just found that the /dev filesystem of most Ubuntu system is mounted without noexec, nosuid etc options.
If you do everything to harden your system, and you are using squashfs as root file system (which is read-only), such auto-mounted devices can be a serious leak.
This volume usually is quite small and for most folders only root has write access, so I don't know how much this bug is security relevant, but I think there is no reason to not change the mount options for /dev. And especially for LXC containers, I don't even know a workaround to fix it.
STEPS TO REPRODUCE:
me:~# cat >/dev/call-me.sh <<.e
> #!/bin/sh
> echo "I'm executable"
> .e
me:~# chmod +x /dev/call-me.sh
me:~# /dev/call-me.sh
I'm executable
EXPECTED BEHAVIOUR
me:~# /dev/call-me.sh
-bash: /dev/call-me.sh: Permission denied
WORKAROUND
me:~# mount -oremount,
me:~# /dev/call-me.sh
-bash: /dev/call-me.sh: Permission denied
Unfortunately, this workaround doesn't work in LXC containers (where the same problem occurs) because of missing capabilities.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: udev 204-5ubuntu20.11
ProcVersionSign
Uname: Linux 3.13.0-49-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.10
Architecture: amd64
CurrentDesktop: XFCE
CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied
CustomUdevRuleF
Date: Sat May 2 01:48:26 2015
MachineType: Gigabyte Technology Co., Ltd. H97-HD3
ProcKernelCmdLine: BOOT_IMAGE=
SourcePackage: systemd
UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago)
dmi.bios.date: 06/26/2014
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: F5
dmi.board.
dmi.board.name: H97-HD3
dmi.board.vendor: Gigabyte Technology Co., Ltd.
dmi.board.version: x.x
dmi.chassis.
dmi.chassis.type: 3
dmi.chassis.vendor: Gigabyte Technology Co., Ltd.
dmi.chassis.
dmi.modalias: dmi:bvnAmerican
dmi.product.name: H97-HD3
dmi.product.
dmi.sys.vendor: Gigabyte Technology Co., Ltd.
description: | updated |
information type: | Private Security → Public Security |
Changed in lxc (Ubuntu): | |
importance: | Undecided → Wishlist |
Changed in initramfs-tools (Ubuntu): | |
status: | Fix Committed → Triaged |
Changed in initramfs-tools (Ubuntu): | |
status: | Triaged → Fix Committed |
Status changed to 'Confirmed' because the bug affects multiple users.