Re: avahi-daemon

To: debian-security@lists.debian.org
Subject: Re: avahi-daemon
From: Michael Stone <mstone@debian.org>
Date: Fri, 03 Mar 2006 09:09:36 -0500
Message-id: <[🔎] 20060303140934.GJ9733@mathom.us>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20060303134756.GB11560@khazad-dum.debian.net>
References: <98a18b470602220411n4704cacg61cab8cae197e504@mail.gmail.com> <43FC60FC.7080001@gmx.net> <20060222143022.GE17249@bee.dooz.org> <43FC8BE6.5040902@gmx.net> <20060222165940.GP17596@linuxmafia.com> <20060223110450.GA4991@javifsp.no-ip.org> <[🔎] 20060302200627.GF6022@bee.dooz.org> <[🔎] 440815DB.5030307@gmx.net> <[🔎] 20060303133638.GO6022@bee.dooz.org> <[🔎] 20060303134756.GB11560@khazad-dum.debian.net>

On Fri, Mar 03, 2006 at 10:47:56AM -0300, Henrique de Moraes Holschuh wrote:

Not in my servers, it doesn't.  And I should add, not even in my desktops:
all removable filesystems are mounted nodev, nosuid.

Mounting malicious filesystems automatically (vfat can't be one AFAIK, but
it won't bork if you tell it to be nosuid, nodev either) is never a feature,
it is a security hole.

Well, a filesystem can be malicious whether it's mounted nosuid or not.Consider the case of a crafted directory structure that tickles a kernelbug, for example. There's no question that making things easier fordesktop users adds risks, the question is where to strike the balence.


--
Michael Stone

Reply to:

Follow-Ups:
- Re: avahi-daemon
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Re: avahi-daemon
  - From: Loïc Minier <lool+debian@via.ecp.fr>
- Re: avahi-daemon
  - From: aliban <aliban@gmx.net>
- Re: avahi-daemon
  - From: Loïc Minier <lool+debian@via.ecp.fr>
- Re: avahi-daemon
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: avahi-daemon
Next by Date: Re: avahi-daemon
Previous by thread: Re: avahi-daemon
Next by thread: Re: avahi-daemon
Index(es):
- Date
- Thread