This is a dupe of debian bug 378280: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378280 > Hi, > > while playing around with the latest kernel exploit > > http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html > > i wondered why the kernel virtual file systems (/sys, /proc) have > pretty much every capability. Why do those filesystems need dev, exec, > suid capabilities? > > Unless there is a good reason please mount them noexec,nodev,nosuid. > > MfG Also reported here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198995
This can be done today by just installing good /etc/fstab defaults. Isn't that ebought?
It is. There is a set of filesystems \times set of mount options. You can choose whatever combo you like. It's unlikely that tables you want will be added to kernel, since they'll make kernel more special-case-ridden. $EDITOR /etc/fstab, kernel doesn't care.