This is a dupe of debian bug 378280: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378280 > Hi, > > while playing around with the latest kernel exploit > > http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html > > i wondered why the kernel virtual file systems (/sys, /proc) have > pretty much every capability. Why do those filesystems need dev, exec, > suid capabilities? > > Unless there is a good reason please mount them noexec,nodev,nosuid. > > MfG
/etc/fstab is written during installation, so reassigning to anaconda. Read ya, Phil
Bill -- thoughts?
Set the default in the kernel, if it's not needed....
this is much better dealt with upstream than in various distro bug trackers. Please file a bug in http://bugzilla.kernel.org, or post to linux-kernel.org
Isn't UPSTREAM for bugs where the bug has already been reported upstream? Oh well, reported.
This bug has been downstreamed, the changes need to be made by the vendor in /etc/fstab
initscripts does not write /etc/fstab.
It is *NOT* the job of every single utility that might ever create a filesystem (or mount one) to know this sort of magic. This needs to be done in the kernel or there's no way that it will ever be done consistently.
Turns out this is fixed in .18rc, so FC5 will pick this up when we rebase. int proc_fill_super(struct super_block *s, void *data, int silent) { struct inode * root_inode; s->s_flags |= MS_NODIRATIME | MS_NOSUID | MS_NOEXEC;