Bug 198995 - Too many capabilities on virtual filesystems
Too many capabilities on virtual filesystems
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Dave Jones
Brian Brock
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-15 09:23 EDT by Need Real Name
Modified: 2015-01-04 17:27 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-11 20:14:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Linux Kernel 6904 None None None Never

  None (edit)
Description Need Real Name 2006-07-15 09:23:06 EDT
This is a dupe of debian bug 378280:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378280

> Hi,
> 
> while playing around with the latest kernel exploit
> 
> http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html
> 
> i wondered why the kernel virtual file systems (/sys, /proc) have
> pretty much every capability. Why do those filesystems need dev, exec,
> suid capabilities?
> 
> Unless there is a good reason please mount them noexec,nodev,nosuid.
> 
> MfG
Comment 1 Phil Knirsch 2006-07-18 08:05:48 EDT
/etc/fstab is written during installation, so reassigning to anaconda.

Read ya, Phil
Comment 2 Jeremy Katz 2006-07-19 14:51:40 EDT
Bill -- thoughts?
Comment 3 Bill Nottingham 2006-07-19 16:06:41 EDT
Set the default in the kernel, if it's not needed....
Comment 4 Dave Jones 2006-07-25 22:53:46 EDT
this is much better dealt with upstream than in various distro bug trackers.
Please file a bug in http://bugzilla.kernel.org, or post to
linux-kernel@vger.kernel.org
Comment 5 Need Real Name 2006-07-26 02:20:50 EDT
Isn't UPSTREAM for bugs where the bug has already been reported upstream?

Oh well, reported.
Comment 6 Need Real Name 2006-09-09 06:47:18 EDT
This bug has been downstreamed, the changes need to be made by the vendor in
/etc/fstab
Comment 7 Bill Nottingham 2006-09-11 10:32:17 EDT
initscripts does not write /etc/fstab.
Comment 8 Jeremy Katz 2006-09-11 16:02:55 EDT
It is *NOT* the job of every single utility that might ever create a filesystem
(or mount one) to know this sort of magic.

This needs to be done in the kernel or there's no way that it will ever be done
consistently.
Comment 9 Dave Jones 2006-09-11 20:14:36 EDT
Turns out this is fixed in .18rc, so FC5 will pick this up when we rebase.

int proc_fill_super(struct super_block *s, void *data, int silent)
{
    struct inode * root_inode;
    s->s_flags |= MS_NODIRATIME | MS_NOSUID | MS_NOEXEC;


Note You need to log in before you can comment on or make changes to this bug.