touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #75345
[Bug 1450960] Re: dev file system is mounted without noexec
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1450960
Title:
dev file system is mounted without noexec
Status in lxc package in Ubuntu:
New
Status in systemd package in Ubuntu:
New
Bug description:
I just found that the /dev filesystem of most Ubuntu system is mounted
without noexec, nosuid etc options.
If you do everything to harden your system, and you are using squashfs
as root file system (which is read-only), such auto-mounted devices
can be a serious leak.
This volume usually is quite small and for most folders only root has
write access, so I don't know how much this bug is security relevant,
but I think there is no reason to not change the mount options for
/dev. And especially for LXC containers, I don't even know a
workaround to fix it.
STEPS TO REPRODUCE:
me:~# cat >/dev/call-me.sh <<.e
> #!/bin/sh
> echo "I'm executable"
> .e
me:~# chmod +x /dev/call-me.sh
me:~# /dev/call-me.sh
I'm executable
EXPECTED BEHAVIOUR
me:~# /dev/call-me.sh
-bash: /dev/call-me.sh: Permission denied
WORKAROUND
me:~# mount -oremount,noexec,nosuid /dev
me:~# /dev/call-me.sh
-bash: /dev/call-me.sh: Permission denied
Unfortunately, this workaround doesn't work in LXC containers (where
the same problem occurs) because of missing capabilities.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: udev 204-5ubuntu20.11
ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17
Uname: Linux 3.13.0-49-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.10
Architecture: amd64
CurrentDesktop: XFCE
CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied
CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules
Date: Sat May 2 01:48:26 2015
MachineType: Gigabyte Technology Co., Ltd. H97-HD3
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro
SourcePackage: systemd
UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago)
dmi.bios.date: 06/26/2014
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: F5
dmi.board.asset.tag: To be filled by O.E.M.
dmi.board.name: H97-HD3
dmi.board.vendor: Gigabyte Technology Co., Ltd.
dmi.board.version: x.x
dmi.chassis.asset.tag: To Be Filled By O.E.M.
dmi.chassis.type: 3
dmi.chassis.vendor: Gigabyte Technology Co., Ltd.
dmi.chassis.version: To Be Filled By O.E.M.
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.:
dmi.product.name: H97-HD3
dmi.product.version: To be filled by O.E.M.
dmi.sys.vendor: Gigabyte Technology Co., Ltd.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960/+subscriptions