Re: A Hurd user can mount loop device...
>>>>> " " == Wichert Akkerman <wichert@valinux.com> writes:
> Previously Neal H Walfield wrote:
>> The reason that Linux, and other monolithic kernels, do not
>> allow users to mount filesystems is that a bad filesystem can
>> crash the kernel.
> No, you're completely missing the point. What you mean is
> loading filesystem drivers, ie adding new code to the
> kernel. That is a completely different thing then mounting a
> filesystem.
> Allowing an arbitrary untrusted user to mount a arbitrary
> untrusted filesystem is *bad* from a security perspective: it
> would be trivial for the user to create a filesystem image with
> suid binaries, devices with lax permissions, etc.
All of those can be ignored with the right config in /etc/fstab. No
setuid binaries, no devices on the filesystem and so on. Only noexec
is pretty ineffective as shown before.
Thats not realy a problem. You can also make a floppy with ext2 with
setuid binaries and/or devices. Same problem as with loop devices.
> The difference here that makes the HURD safe is that the HURD
> `runs' the filesystem as a user(space) process, so mounting a
> filesystem can't give the user extra priviliges through that
> data in it.
The difference is that no matter what the user does (willingly or by
mistake), he has no access to the kernel structures and can't crash or
otherwise change the kernel behaviour.
Of cause a foolprove FS implementation under linux would be perfectly
safe, but under Hurd even a broken FS implementation odes not hurt.
So Hurd is safer and then you can let users mount any filesystem
anywhere without a security risk.
MfG
Goswin
Reply to: