[Pkg-sysvinit-devel] Bug#378280: Too many capabilities on virtual
filesystems
Goswin Brederlow
brederlo at informatik.uni-tuebingen.de
Fri Jul 14 23:26:28 UTC 2006
Package: initscripts
Version: 2.86.ds1-14.1
Severity: grave
File: /etc/init.d/mountkernfs.sh
Tags: security
Hi,
while playing around with the latest kernel exploit
http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html
i wondered why the kernel virtual file systems (/sys, /proc) have
pretty much every capability. Why do those filesystems need dev, exec,
suid capabilities?
Unless there is a good reason please mount them noexec,nodev,nosuid.
MfG
Goswin
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-frosties-2
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages initscripts depends on:
ii debianutils 2.16.2 Miscellaneous utilities specific t
ii e2fsprogs 1.39-1 ext2 file system utilities and lib
ii libc6 2.3.6-15 GNU C Library: Shared libraries
ii lsb-base 3.1-10 Linux Standard Base 3.1 init scrip
ii mount 2.12r-10 Tools for mounting and manipulatin
initscripts recommends no packages.
-- no debconf information
More information about the Pkg-sysvinit-devel
mailing list