[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

AW: Bug#4902: Major security hole in xvmount

>I do not see any reason to panic. xvmount itself is
>not more or less safe than any user mount. It bears 
>exactly the same risks. One simply has to take exactly 
>the same care when configuring the /etc/xvmounttab as 
>when editing the /etc/fstab. If you configure your
>/etc/fstab to enable SUID and DEV on an user mount
>point exactly the same can happen.

Absolutely true. But no other user mount is installed with these options
enabled by default!

>Nevertheless, you are certainly right that I should have
>added a warning notice that one HAS TO take this care
>when editing the /etc/xvmounttab. Moreover, the choice
>of the defaults by the author was not optimal. I have 
>changed this now to be exactly equivalent to the 
>presets for a noraml user mount. However, I do not see
>any reason to generally disable SUID or DEV. It should
>stay the decision of the sysop what is to be enabled
>or not. Since the single user has no possibility to 
>influence the mount point or the mount options this
>is no general security hole.
>I hope you can agree. Then I will release the 
>corrected version.

I do. Just make sure that root has to do something to enable these
dangerous mounts.


Reply to: