[Pkg-sysvinit-devel] Bug#378280: Too many capabilities on virtual filesystems

Goswin Brederlow brederlo at informatik.uni-tuebingen.de
Fri Jul 14 23:26:28 UTC 2006


Package: initscripts
Version: 2.86.ds1-14.1
Severity: grave
File: /etc/init.d/mountkernfs.sh
Tags: security

Hi,

while playing around with the latest kernel exploit

http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html

i wondered why the kernel virtual file systems (/sys, /proc) have
pretty much every capability. Why do those filesystems need dev, exec,
suid capabilities?

Unless there is a good reason please mount them noexec,nodev,nosuid.

MfG
	Goswin

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-frosties-2
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages initscripts depends on:
ii  debianutils                   2.16.2     Miscellaneous utilities specific t
ii  e2fsprogs                     1.39-1     ext2 file system utilities and lib
ii  libc6                         2.3.6-15   GNU C Library: Shared libraries
ii  lsb-base                      3.1-10     Linux Standard Base 3.1 init scrip
ii  mount                         2.12r-10   Tools for mounting and manipulatin

initscripts recommends no packages.

-- no debconf information




More information about the Pkg-sysvinit-devel mailing list