On 16/11/2024 13:54, Salvatore Bonaccorso wrote:
>> Hi Debian Security Team,
>>
>> Could I have your input on this please? An old bug has been reopened asking for
>> initscripts to mount debugfs by default. It was closed for several years, but
>> the workaround has now disappeared.
>>
>> In the original thread, concerns were raised about mounting debugfs in all cases
>> both for security and unnecessary resource usage[1]. Those have been expressed
>> again now.
> We hat short discussion about it our weekly Kernel team meeting, and
> should be noted that systemd does that already. We do not see an
> direct problem to do it as it is restricted to root.
>
> https://meetbot.debian.net/debian-kernel/2024/debian-kernel.2024-11-13-20.00.html

If the kernel documentation says it should not be mounted by default then why is
systemd doing so?

I believe the kernel devs said that userland shouldn't be building upon it and
that is a reason not to enable it by default. It makes much more sense to me for
a commented out line to be placed in /etc/fstab?

As for security. Ideally if it wasn't enabled at boot up then root shouldn't be
able to mount it. The kernel has powers over root after all.