From: Jarkko Sakkinen <jarkko@kernel.org>
To: Topi Miettinen <toiwoton@gmail.com>
Cc: "Andy Lutomirski" <luto@amacapital.net>,
"Andy Lutomirski" <luto@kernel.org>,
"Zbigniew Jędrzejewski-Szmek" <zbyszek@in.waw.pl>,
linux-hotplug@vger.kernel.org,
"systemd Mailing List" <systemd-devel@lists.freedesktop.org>,
"Jarkko Sakkinen" <jarkko.sakkinen@linux.intel.com>,
"Jethro Beekman" <jethro@fortanix.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
linux-sgx@vger.kernel.org, "Svahn, Kai" <kai.svahn@intel.com>,
"Schlobohm, Bruce" <bruce.schlobohm@intel.com>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"Haitao Huang" <haitao.huang@linux.intel.com>,
"Ben Hutchings" <ben@decadent.org.uk>
Subject: Re: Creating executable device nodes in /dev?
Date: Wed, 09 Dec 2020 00:42:14 +0000 [thread overview]
Message-ID: <20201209004214.GA64820@kernel.org> (raw)
In-Reply-To: <20201209001521.GA64007@kernel.org>
On Wed, Dec 09, 2020 at 02:15:28AM +0200, Jarkko Sakkinen wrote:
> On Wed, Dec 09, 2020 at 01:15:27AM +0200, Topi Miettinen wrote:
> > > > > As a further argument, I just did this on a Fedora system:
> > > > > $ find /dev -perm /ugo+x -a \! -type d -a \! -type l
> > > > > No results. So making /dev noexec doesn't seem to have any benefit.
> > > >
> > > > It's no surprise that there aren't any executables in /dev since
> > > > removing MAKEDEV ages ago. That's not the issue, which is that
> > > > /dev is a writable directory (for UID=0 but no capabilities are
> > > > needed) and thus a potential location for constructing unapproved
> > > > executables if it is also mounted exec (W^X).
> > >
> > > UID 0 can just change mount options, though, unless SELinux or similar is used. And SELinux can protect /dev just fine without noexec.
> >
> > Well, mounting would need CAP_SYS_ADMIN in addition to UID 0. Also SELinux
> > is not universal and the policies might not contain all users or services.
> >
> > -Topi
>
> What's the data that supports having noexec /dev anyway? With root
> access I can then just use something else like /dev/shm mount.
>
> Has there been out in the wild real world cases that noexec mount
> of would have prevented?
Typo: "of" = "of /dev"
> For me this sounds a lot just something that "feels more secure"
> without any measurable benefit. Can you prove me wrong?
The debate is circled around something not well defined. Of course you
get theoretically more safe system when you decrease priviliges anywhere
in the system. Like you could start do grazy things with stuff that
unprivilged user has access, in order to prevent malware to elevate to
UID 0 in the first place.
I think where this go intellectually wrong is that we are talking about
*default installation* of a distribution. That should have somewhat sane
common sense access control settings. For like a normal desktop user
noexec /dev will not do any possible favor.
Then there is the case when you want to harden installation for an
application, let's' say some server. In that case you will anyway
fine-tune the security settings and go grazy enough with hardening.
When you tailor a server, it's a standard practice to enumerate and
adjust the mount points if needed.
To summarize, I neither understand the intended target audience.
/Jarkko
next prev parent reply other threads:[~2020-12-09 0:42 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-19 16:17 Creating executable device nodes in /dev? Andy Lutomirski
2020-11-19 16:32 ` Zbigniew Jędrzejewski-Szmek
2020-11-19 18:05 ` Topi Miettinen
2020-12-08 18:07 ` Andy Lutomirski
2020-12-08 20:45 ` Topi Miettinen
2020-12-08 21:30 ` Andy Lutomirski
2020-12-08 23:15 ` Topi Miettinen
2020-12-09 0:15 ` Jarkko Sakkinen
2020-12-09 0:42 ` Jarkko Sakkinen [this message]
2020-12-09 8:58 ` Topi Miettinen
2020-12-09 9:07 ` Jethro Beekman
2020-12-09 15:14 ` Andy Lutomirski
2020-12-09 19:22 ` Topi Miettinen
2020-12-09 19:32 ` Andy Lutomirski
2020-12-09 21:58 ` Ben Hutchings
2020-12-11 11:36 ` Zbigniew Jędrzejewski-Szmek
2020-12-09 7:58 ` Antw: [EXT] Re: [systemd-devel] " Ulrich Windl
2020-12-11 10:40 ` Jarkko Sakkinen
2020-12-09 8:35 ` Topi Miettinen
2020-12-11 10:46 ` Jarkko Sakkinen
2020-12-11 11:29 ` Greg KH
2020-12-12 11:51 ` [systemd-devel] " Christian Brauner
2020-12-12 12:32 ` Christian Brauner
2020-12-11 11:46 ` Topi Miettinen
2020-12-14 7:25 ` Antw: [EXT] Re: [systemd-devel] " Ulrich Windl
2020-12-15 4:19 ` Jarkko Sakkinen
2020-12-15 4:27 ` Jarkko Sakkinen
2020-12-16 10:03 ` Ulrich Windl
2020-12-16 13:05 ` Topi Miettinen
2020-12-22 22:14 ` Jarkko Sakkinen
2020-12-09 0:03 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201209004214.GA64820@kernel.org \
--to=jarkko@kernel.org \
--cc=ben@decadent.org.uk \
--cc=bruce.schlobohm@intel.com \
--cc=casey@schaufler-ca.com \
--cc=haitao.huang@linux.intel.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=kai.svahn@intel.com \
--cc=linux-hotplug@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=systemd-devel@lists.freedesktop.org \
--cc=toiwoton@gmail.com \
--cc=zbyszek@in.waw.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).