| chiluk | Hey folks I was doing some OS hardening and I discovered that at least one Ubuntu AMI in AWS lacks nosuid on /dev | 17:31 |
|---|---|---|
| chiluk | $ mount | grep devtmp | 17:31 |
| chiluk | devtmpfs on /dev type devtmpfs (rw,relatime,size=2000720k,nr_inodes=500180,mode=755,inode64) | 17:31 |
| chiluk | I'm opening a ticket right now, but It's not immediately clear where the ticket should be opened as both of my media installed machines have nosuid set on /dev. | 17:32 |
| chiluk | what makes matters worse, every code path I've found that mounts /dev sets the nosuid bit so I'm a bit at a loss. | 17:34 |
| Odd_Bloke | chiluk: What does /etc/cloud/build.info have for a serial? | 17:41 |
| === Eickmeyer is now known as NotEickmeyer | ||
| chiluk | Odd_Bloke | 17:49 |
| chiluk | build_name: server | 17:49 |
| chiluk | serial: 20220924 | 17:49 |
| chiluk | https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1991975 | 17:49 |
| -ubottu:#ubuntu-security- Launchpad bug 1991975 in systemd (Ubuntu) "dev file system is mounted without nosuid" [Undecided, New] | 17:49 | |
| Odd_Bloke | A related thought: recent cloud images try to boot initramfs-less, and it's usually the initramfs which mounts /dev: https://git.launchpad.net/ubuntu/+source/initramfs-tools/tree/init#n40. A possibly pertinent comment in that code: "Note that this only becomes /dev on the real filesystem if udev's scripts are used; which they will be, but it's worth pointing out" | 17:49 |
| Odd_Bloke | Let me comment there. | 17:50 |
| chiluk | yeah there's actually a bug in /etc/init.d/udev where it never remounts devtmpfs | 17:50 |
| chiluk | so there's that as well. | 17:51 |
| chiluk | @Odd_Bloke is there a better package you can think of to open this against other than systemd? like the kernel perhaps? | 17:53 |
| chiluk | especially if they are the reason it's being mounted initramfs-less | 17:54 |
| chiluk | I can cross-post there. | 17:54 |
| Odd_Bloke | I'm not sure, really: IDK what is mounting the initial /dev (though one assumes it has to be the kernel if it isn't systemd/udev, I agree!) | 17:55 |
| chiluk | ' | 17:57 |
| chiluk | I'm going to attempt a workaround in /etc/init.d/udev and we'll see how that goes. | 18:24 |
| chiluk | Odd_bloke or someone else is there a better way to tag https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1991975 so it gets security attention? | 20:39 |
| -ubottu:#ubuntu-security- Launchpad bug 1991975 in linux (Ubuntu) "dev file system is mounted without nosuid" [Undecided, Confirmed] | 20:39 | |
| sdeziel | chiluk: Odd_Bloke: I can confirm on an *old* (serial: 20200902) GCP instance: $ mount | grep devtmp | 20:43 |
| sdeziel | devtmpfs on /dev type devtmpfs (rw,relatime,size=490260k,nr_inodes=122565,mode=755,inode64) | 20:43 |
| chiluk | from what I can tell devtmpfs is indeed being mounted by the kernel init code.. | 20:50 |
| chiluk | yep definitely being mounted by the kernel and not re-mounted in userspace due to systemd | 20:56 |
| chiluk | https://kernel.ubuntu.com/git/ubuntu/ubuntu-focal.git/tree/drivers/base/devtmpfs.c#n384 | 20:56 |
| chiluk | moving to #ubuntu-kernel | 20:56 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!