-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/05/2011 11:11 AM, Marcus Meissner wrote:
Hi,
is it necessary that "debugfs" is mounted by default?
It exposes too much of the kernel readable (and so potentially exploitable) to the non-root user.
It makes the tracing infrastructure unusable without more work from the user. The tracing infrastructure has grown from a niche offering to being the core of other features like block trace, which I'd consider part of basic performance analysis. One potential workaround could be to make /sys/kernel/debug 0700 root and allow the admin to change it to allow access to non-root users. Forcing admins to mount it, even when they'd just be using it as root anyway, just delays the exposure. I don't necessarily agree that allowing RO access is a security hole, but it would address your concern. - -Jeff - -- Jeff Mahoney SUSE Labs -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJO3PZ8AAoJEB57S2MheeWyzuEP/3ul+viBY95LMOaf4FNfRgu7 +Q+NHjWZhdiFIM4CBU1+jkU71XU8pQoDhBIRGr2/xiZQK+Un2xkITPjxhhAAIaUJ P3A8OvC2sWMXVCm0yfOiP4WOH8o+D7rALFB5y5O2zmvKqQZkOprLWd9d/dcH7CLb HFHbglmOIXNvaw1OZxckqkHTT79zpUWf8kuYTM7qB/i7mFwQHFVO+wIJmgHvReO8 9ctR3K0TlSpEyz4/Nio6OST3JlOyb0yBWUysXhQJbohhfiXxjr54qc2kkuwmxbo5 xsztGzzzsj0jRv6SWNDrshn4SDlpqzZYsHQfIZLpJyOPb7fFd/eKxyVijnYN6m1s xo8qsgSKpQzTwTAsmJx7XCElWg9QvJRbPLqf7xXk6P+DRMWOLnBezNB3SB14qEmm TikmOGhuXdRC7qE66XhE3fTpnH4Z4QWN/kReYrz1flyOaEGmZwd8ziPEcLMgiAIm jtTfhsmUXsQRTithdanMEsI2GRrmyg59WabcOua1mmXazcI5GRd1Kxq+ccLgdjpB YKMrVWVclbVqr86gOhRYbGRKr4fGlx5+vGyuhOG4SvL+wS0CwU3iSsU/I0VcvijK yeRmN3KMD40pkey8nj0wWG3lFZkVWEfHS8wuBPRGlndlT1pX2UFvqNdUCsornYQs ix8VZu6qb4TOgz6tQEKV =oJvE -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org