From: Alessandro Rubini <rubini@gnudd.com>
To: keescook@chromium.org
Cc: linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org,
ben@decadent.org.uk, rob@landley.net, viro@zeniv.linux.org.uk,
ludwig.nussel@suse.de, linux-doc@vger.kernel.org
Subject: Re: [PATCH] debugfs: more tightly restrict default mount mode
Date: Tue, 28 Aug 2012 09:44:09 +0200 [thread overview]
Message-ID: <20120828074409.GA32750@mail.gnudd.com> (raw)
In-Reply-To: <20120827203215.GA16637@www.outflux.net>
> Since the debugfs is mostly only used by root, make the default mount
> mode 0700. Most system owners do not need a more permissive value,
> but they can choose to weaken the restrictions via their fstab.
But if the default is strict, file-completion won't work and most
people will run a full root shell instead of sudo to save time. This
is a step back in my opinion.
Most administrators of their own machine won't go as far as changing
fstab (none of my students would, for example). On the other hand
admins of serious sites who are really concerned about doing "ls" over
debugfs will be able to customize.
So I vote against, knowing I'm late.
thanks
/alessandro
next prev parent reply other threads:[~2012-08-28 8:03 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-27 20:32 [PATCH] debugfs: more tightly restrict default mount mode Kees Cook
2012-08-27 20:41 ` Greg Kroah-Hartman
2012-08-28 7:44 ` Alessandro Rubini [this message]
2012-08-28 14:41 ` Hardening debugfs (Was Re: [PATCH] debugfs: more tightly restrict default mount mode) Theodore Ts'o
2012-08-28 14:55 ` Ben Hutchings
2012-08-28 15:02 ` Theodore Ts'o
2012-08-28 17:09 ` Greg Kroah-Hartman
2012-08-28 19:43 ` Kees Cook
2012-08-28 22:55 ` Rob Landley
2012-08-29 4:09 ` Greg Kroah-Hartman
2012-08-30 16:15 ` Rob Landley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120828074409.GA32750@mail.gnudd.com \
--to=rubini@gnudd.com \
--cc=ben@decadent.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ludwig.nussel@suse.de \
--cc=rob@landley.net \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox