Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel
Roger Lynn
Roger at rilynn.me.uk
Mon Nov 18 23:46:36 GMT 2024
On 18/11/2024 17:23, Kevin Chadwick <kc-devuan at chadwicks.me.uk> wrote:
> My mail server seems to be declined connection by hindley.org.uk and the debian
> bug list. Quite odd. I have no idea why and we have no issues elsewhere.
I am inferring that you have no problem with me quoting you in public.
>>> Hi Debian Security Team,
>>>
>>> Could I have your input on this please? An old bug has been reopened asking for
>>> initscripts to mount debugfs by default. It was closed for several years, but
>>> the workaround has now disappeared.
>>>
>>> In the original thread, concerns were raised about mounting debugfs in all cases
>>> both for security and unnecessary resource usage[1]. Those have been expressed
>>> again now.
>> We hat short discussion about it our weekly Kernel team meeting, and
>> should be noted that systemd does that already. We do not see an
>> direct problem to do it as it is restricted to root.
>>
>> https://meetbot.debian.net/debian-kernel/2024/debian-kernel.2024-11-13-20.00.html
>
> If the kernel documentation says it should not be mounted by default then why is
> systemd doing so?
>
> I believe the kernel devs said that userland shouldn't be building upon it and
> that is a reason not to enable it by default. It makes much more sense to me for
> a commented out line to be placed in /etc/fstab?
>
> As for security. Ideally if it wasn't enabled at boot up then root shouldn't be
> able to mount it. The kernel has powers over root after all.
>
> Kernel lockdown disables access for security reasons, so what does a user that
> wants hibernate to work on an encrypted system but keep the system as secure as
> possible do? Linux needs to do better here and not worse, IMO.
These are all good points. One resulting question is, why does rasdaemon
need debugfs in the first place? Do the rasdaemon developers want access to
information that the kernel developers think they shouldn't need?
And having briefly looked at the lockdown documentation, I am surprised that
adding debugfs to my fstab has worked, as my kernel claims to be locked down.
Regards,
Roger
More information about the Debian-init-diversity
mailing list