← Back to team overview

touch-packages team mailing list archive

[Bug 1450960] Re: dev file system is mounted without noexec

 

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1450960

Title:
  dev file system is mounted without noexec

Status in lxc package in Ubuntu:
  New
Status in systemd package in Ubuntu:
  New

Bug description:
  I just found that the /dev filesystem of most Ubuntu system is mounted
  without noexec, nosuid etc options.

  If you do everything to harden your system, and you are using squashfs
  as root file system (which is read-only), such auto-mounted devices
  can be a serious leak.

  This volume usually is quite small and for most folders only root has
  write access, so I don't know how much this bug is security relevant,
  but I think there is no reason to not change the mount options for
  /dev. And especially for LXC containers, I don't even know a
  workaround to fix it.

  STEPS TO REPRODUCE:

  me:~# cat >/dev/call-me.sh <<.e
  > #!/bin/sh
  > echo "I'm executable"
  > .e

  me:~# chmod +x /dev/call-me.sh

  me:~# /dev/call-me.sh
  I'm executable

  EXPECTED BEHAVIOUR

  me:~# /dev/call-me.sh
  -bash: /dev/call-me.sh: Permission denied

  WORKAROUND

  me:~# mount -oremount,noexec,nosuid /dev

  me:~# /dev/call-me.sh
  -bash: /dev/call-me.sh: Permission denied

  Unfortunately, this workaround doesn't work in LXC containers (where
  the same problem occurs) because of missing capabilities.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: udev 204-5ubuntu20.11
  ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17
  Uname: Linux 3.13.0-49-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.10
  Architecture: amd64
  CurrentDesktop: XFCE
  CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied
  CustomUdevRuleFiles: 51-android.rules 60-vboxdrv.rules
  Date: Sat May  2 01:48:26 2015
  MachineType: Gigabyte Technology Co., Ltd. H97-HD3
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-49-generic root=/dev/mapper/vg_ssd-lv_system_trusty1404 ro
  SourcePackage: systemd
  UpgradeStatus: Upgraded to trusty on 2014-04-18 (378 days ago)
  dmi.bios.date: 06/26/2014
  dmi.bios.vendor: American Megatrends Inc.
  dmi.bios.version: F5
  dmi.board.asset.tag: To be filled by O.E.M.
  dmi.board.name: H97-HD3
  dmi.board.vendor: Gigabyte Technology Co., Ltd.
  dmi.board.version: x.x
  dmi.chassis.asset.tag: To Be Filled By O.E.M.
  dmi.chassis.type: 3
  dmi.chassis.vendor: Gigabyte Technology Co., Ltd.
  dmi.chassis.version: To Be Filled By O.E.M.
  dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF5:bd06/26/2014:svnGigabyteTechnologyCo.,Ltd.:pnH97-HD3:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH97-HD3:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.:
  dmi.product.name: H97-HD3
  dmi.product.version: To be filled by O.E.M.
  dmi.sys.vendor: Gigabyte Technology Co., Ltd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960/+subscriptions