Bug 6904

Summary: Too many capabilities on virtual filesystems
Product: File System Reporter: lsof
Component: OtherAssignee: Alexey Dobriyan (adobriyan)
Status: REJECTED INVALID    
Severity: normal CC: diegocg
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: n/a Subsystem:
Regression: --- Bisected commit-id:

Description lsof 2006-07-25 23:24:14 UTC 
This is a dupe of debian bug 378280:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378280

> Hi,
> 
> while playing around with the latest kernel exploit
> 
> http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html
> 
> i wondered why the kernel virtual file systems (/sys, /proc) have
> pretty much every capability. Why do those filesystems need dev, exec,
> suid capabilities?
> 
> Unless there is a good reason please mount them noexec,nodev,nosuid.
> 
> MfG

Also reported here:
 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198995
Comment 1 Diego Calleja 2006-07-30 17:18:22 UTC 
This can be done today by just installing good /etc/fstab defaults. Isn't that
ebought?
Comment 2 Alexey Dobriyan 2006-09-08 16:57:21 UTC 
It is. There is a set of filesystems \times set of mount options.
You can choose whatever combo you like.

It's unlikely that tables you want will be added to kernel, since they'll make
kernel more special-case-ridden.

        $EDITOR /etc/fstab, kernel doesn't care.