[17:31] <chiluk> Hey folks I was doing some OS hardening and I discovered that at least one Ubuntu AMI in AWS lacks nosuid on /dev 
[17:31] <chiluk> $ mount | grep devtmp
[17:31] <chiluk> devtmpfs on /dev type devtmpfs (rw,relatime,size=2000720k,nr_inodes=500180,mode=755,inode64)
[17:32] <chiluk> I'm opening a ticket right now, but It's not immediately clear where the ticket should be opened as both of my media installed machines have nosuid set on /dev.
[17:34] <chiluk> what makes matters worse, every code path I've found that mounts /dev sets the nosuid bit so I'm a bit at a loss.
[17:41] <Odd_Bloke> chiluk: What does /etc/cloud/build.info have for a serial?
=== Eickmeyer is now known as NotEickmeyer
[17:49] <chiluk> Odd_Bloke
[17:49] <chiluk> build_name: server
[17:49] <chiluk> serial: 20220924
[17:49] <chiluk> https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1991975
[17:49] -ubottu:#ubuntu-security- Launchpad bug 1991975 in systemd (Ubuntu) "dev file system is mounted without nosuid" [Undecided, New]
[17:49] <Odd_Bloke> A related thought: recent cloud images try to boot initramfs-less, and it's usually the initramfs which mounts /dev: https://git.launchpad.net/ubuntu/+source/initramfs-tools/tree/init#n40.  A possibly pertinent comment in that code: "Note that this only becomes /dev on the real filesystem if udev's scripts are used; which they will be, but it's worth pointing out"
[17:50] <Odd_Bloke> Let me comment there.
[17:50] <chiluk> yeah there's actually a bug in /etc/init.d/udev where it never remounts devtmpfs
[17:51] <chiluk> so there's that as well.
[17:53] <chiluk> @Odd_Bloke is there a better package you can think of to open this against other than systemd?  like the kernel perhaps?
[17:54] <chiluk> especially if they are the reason it's being mounted initramfs-less 
[17:54] <chiluk> I can cross-post there.
[17:55] <Odd_Bloke> I'm not sure, really: IDK what is mounting the initial /dev (though one assumes it has to be the kernel if it isn't systemd/udev, I agree!)
[17:57] <chiluk> '
[18:24] <chiluk> I'm going to attempt a workaround in /etc/init.d/udev and we'll see how that goes.
[20:39] <chiluk> Odd_bloke or someone else is there a better way to tag https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1991975 so it gets security attention?
[20:39] -ubottu:#ubuntu-security- Launchpad bug 1991975 in linux (Ubuntu) "dev file system is mounted without nosuid" [Undecided, Confirmed]
[20:43] <sdeziel> chiluk: Odd_Bloke: I can confirm on an *old* (serial: 20200902) GCP instance: $ mount | grep devtmp
[20:43] <sdeziel> devtmpfs on /dev type devtmpfs (rw,relatime,size=490260k,nr_inodes=122565,mode=755,inode64)
[20:50] <chiluk> from what I can tell devtmpfs is indeed being mounted by the kernel init code..
[20:56] <chiluk> yep definitely being mounted by the kernel and not re-mounted in userspace due to systemd 
[20:56] <chiluk> https://kernel.ubuntu.com/git/ubuntu/ubuntu-focal.git/tree/drivers/base/devtmpfs.c#n384
[20:56] <chiluk> moving to #ubuntu-kernel