1

I notice /proc and /dev is mounted differently on ubuntu than other linux distribution as follows:

Ubuntu:

udev on /dev type devtmpfs (rw,nosuid,relatime,size=4079136k,nr_inodes=1019784,mode=755)  
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)

ALinux:

devtmpfs on /dev type devtmpfs (rw,relatime,size=1015576k,nr_inodes=253894,mode=755)  
proc on /proc type proc (rw,relatime)

I know nosuid is a security option to disallow files that contain setuid flag. But isn't /proc is a virtual file system already, and /proc serves as a interface to query kernal information. Why is /proc still needed to be mounted with nosuid? Similarly to /dev.

Please let me know.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Alex
  • 11
  • 2

1 Answers1

1

1 word. Security. As a general rule, you should only give enough permissions to get the job done. Allowing setuid on stuff in /proc makes no sense... therefore... don't allow it. All it would potentially do is create an attack surface to exploit your system.

TheCompWiz
  • 7,349
  • 16
  • 23