Bug 864080

Summary: debugfs is mounted world readable
Product: [Fedora] Fedora Reporter: Steve Grubb <sgrubb>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 18CC: gansalmon, itamar, johannbg, jonathan, kernel-maint, lnykryn, lpoetter, madhu.chinakonda, metherid, msekleta, notting, plautrba, systemd-maint, vpavlin
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-08 22:41:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 853068    

Description Steve Grubb 2012-10-08 14:11:25 UTC 
Description of problem:
Systemd is mounting /sys/kernel/debug as 0755. We need it mounted as 0700 for security reasons.
Comment 1 Bill Nottingham 2012-10-08 19:48:39 UTC 
Shouldn't the kernel defaults for anything sensitive be fixed, rather than relying on userspace workarounds?
Comment 2 Lennart Poettering 2012-10-08 22:18:17 UTC 
We are not working around kernel problems in userspace, and we do not implement security by obscurity.

If interfaces reachable via debugfs expose security holes this should be fixed in the kernel. If the access mode to debugfs should be made tigther, then the default for it should be changed in the kernel, and userspace shouldn't attempt to tape over it.

Reassigning to kernel. Steve, please list the security holes debugfs exposes, so that they can be fixed, thank you.
Comment 3 Steve Grubb 2012-10-08 22:25:16 UTC 
There is no need to list the holes nor is this security by obscurity. Its the same thing as turning on your firewall. You can either fix the holes in all the daemons - which you will never be sure you got them all. Or turn on your firewall and be done.

We simply need debugfs non-world readable. It can even be 0750 with a special non-root group if normal users need access.
Comment 4 Dave Jones 2012-10-08 22:41:15 UTC 
the upstream kernel just changed this to be 700 by default.

https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=82aceae4f0d42f03d9ad7d1e90389e731153898f

we're not undoing that in the Fedora kernel, so if systemd wants this changed back, argue for it on linux-kernel.