Bug 6904 - Too many capabilities on virtual filesystems
Summary: Too many capabilities on virtual filesystems
Status: REJECTED INVALID
Alias: None
Product: File System
Classification: Unclassified
Component: Other (show other bugs)
Hardware: i386 Linux
: P2 normal
Assignee: Alexey Dobriyan
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-07-25 23:24 UTC by lsof
Modified: 2006-09-08 16:57 UTC (History)
1 user (show)

See Also:
Kernel Version: n/a
Subsystem:
Regression: ---
Bisected commit-id:


Attachments

Description lsof 2006-07-25 23:24:14 UTC
This is a dupe of debian bug 378280:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378280

> Hi,
> 
> while playing around with the latest kernel exploit
> 
> http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html
> 
> i wondered why the kernel virtual file systems (/sys, /proc) have
> pretty much every capability. Why do those filesystems need dev, exec,
> suid capabilities?
> 
> Unless there is a good reason please mount them noexec,nodev,nosuid.
> 
> MfG

Also reported here:
 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198995
Comment 1 Diego Calleja 2006-07-30 17:18:22 UTC
This can be done today by just installing good /etc/fstab defaults. Isn't that
ebought?
Comment 2 Alexey Dobriyan 2006-09-08 16:57:21 UTC
It is. There is a set of filesystems \times set of mount options.
You can choose whatever combo you like.

It's unlikely that tables you want will be added to kernel, since they'll make
kernel more special-case-ridden.

        $EDITOR /etc/fstab, kernel doesn't care.

Note You need to log in before you can comment on or make changes to this bug.