Mailinglist Archive: opensuse-kernel (129 mails)
| < Previous | Next > |
Re: [opensuse-kernel] debugfs mounted by default - necessary?
- From: Jeff Mahoney <jeffm@xxxxxxx>
- Date: Mon, 05 Dec 2011 11:51:08 -0500
- Message-id: <4EDCF67C.9000905@suse.de>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/05/2011 11:11 AM, Marcus Meissner wrote:
It makes the tracing infrastructure unusable without more work from
the user. The tracing infrastructure has grown from a niche offering
to being the core of other features like block trace, which I'd
consider part of basic performance analysis.
One potential workaround could be to make /sys/kernel/debug 0700 root
and allow the admin to change it to allow access to non-root users.
Forcing admins to mount it, even when they'd just be using it as root
anyway, just delays the exposure.
I don't necessarily agree that allowing RO access is a security hole,
but it would address your concern.
- -Jeff
- --
Jeff Mahoney
SUSE Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJO3PZ8AAoJEB57S2MheeWyzuEP/3ul+viBY95LMOaf4FNfRgu7
+Q+NHjWZhdiFIM4CBU1+jkU71XU8pQoDhBIRGr2/xiZQK+Un2xkITPjxhhAAIaUJ
P3A8OvC2sWMXVCm0yfOiP4WOH8o+D7rALFB5y5O2zmvKqQZkOprLWd9d/dcH7CLb
HFHbglmOIXNvaw1OZxckqkHTT79zpUWf8kuYTM7qB/i7mFwQHFVO+wIJmgHvReO8
9ctR3K0TlSpEyz4/Nio6OST3JlOyb0yBWUysXhQJbohhfiXxjr54qc2kkuwmxbo5
xsztGzzzsj0jRv6SWNDrshn4SDlpqzZYsHQfIZLpJyOPb7fFd/eKxyVijnYN6m1s
xo8qsgSKpQzTwTAsmJx7XCElWg9QvJRbPLqf7xXk6P+DRMWOLnBezNB3SB14qEmm
TikmOGhuXdRC7qE66XhE3fTpnH4Z4QWN/kReYrz1flyOaEGmZwd8ziPEcLMgiAIm
jtTfhsmUXsQRTithdanMEsI2GRrmyg59WabcOua1mmXazcI5GRd1Kxq+ccLgdjpB
YKMrVWVclbVqr86gOhRYbGRKr4fGlx5+vGyuhOG4SvL+wS0CwU3iSsU/I0VcvijK
yeRmN3KMD40pkey8nj0wWG3lFZkVWEfHS8wuBPRGlndlT1pX2UFvqNdUCsornYQs
ix8VZu6qb4TOgz6tQEKV
=oJvE
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-kernel+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-kernel+owner@xxxxxxxxxxxx
Hash: SHA1
On 12/05/2011 11:11 AM, Marcus Meissner wrote:
Hi,
is it necessary that "debugfs" is mounted by default?
It exposes too much of the kernel readable (and so potentially
exploitable) to the non-root user.
It makes the tracing infrastructure unusable without more work from
the user. The tracing infrastructure has grown from a niche offering
to being the core of other features like block trace, which I'd
consider part of basic performance analysis.
One potential workaround could be to make /sys/kernel/debug 0700 root
and allow the admin to change it to allow access to non-root users.
Forcing admins to mount it, even when they'd just be using it as root
anyway, just delays the exposure.
I don't necessarily agree that allowing RO access is a security hole,
but it would address your concern.
- -Jeff
- --
Jeff Mahoney
SUSE Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJO3PZ8AAoJEB57S2MheeWyzuEP/3ul+viBY95LMOaf4FNfRgu7
+Q+NHjWZhdiFIM4CBU1+jkU71XU8pQoDhBIRGr2/xiZQK+Un2xkITPjxhhAAIaUJ
P3A8OvC2sWMXVCm0yfOiP4WOH8o+D7rALFB5y5O2zmvKqQZkOprLWd9d/dcH7CLb
HFHbglmOIXNvaw1OZxckqkHTT79zpUWf8kuYTM7qB/i7mFwQHFVO+wIJmgHvReO8
9ctR3K0TlSpEyz4/Nio6OST3JlOyb0yBWUysXhQJbohhfiXxjr54qc2kkuwmxbo5
xsztGzzzsj0jRv6SWNDrshn4SDlpqzZYsHQfIZLpJyOPb7fFd/eKxyVijnYN6m1s
xo8qsgSKpQzTwTAsmJx7XCElWg9QvJRbPLqf7xXk6P+DRMWOLnBezNB3SB14qEmm
TikmOGhuXdRC7qE66XhE3fTpnH4Z4QWN/kReYrz1flyOaEGmZwd8ziPEcLMgiAIm
jtTfhsmUXsQRTithdanMEsI2GRrmyg59WabcOua1mmXazcI5GRd1Kxq+ccLgdjpB
YKMrVWVclbVqr86gOhRYbGRKr4fGlx5+vGyuhOG4SvL+wS0CwU3iSsU/I0VcvijK
yeRmN3KMD40pkey8nj0wWG3lFZkVWEfHS8wuBPRGlndlT1pX2UFvqNdUCsornYQs
ix8VZu6qb4TOgz6tQEKV
=oJvE
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-kernel+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-kernel+owner@xxxxxxxxxxxx
| < Previous | Next > |