[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#402622: bug still not fixed



Hi,

2006 m. gruodis 14 d., ketvirtadienis 21:01, Marco d'Itri rašė:
> I don't, I believe that pmount is buggy and this is a security hole.
> While you can be pretty much sure that every USB and firewire device is
> removable, the same is not true for MMC devices.
>
> This is also related to #402649 (which I am not actually sure is a
> regression, I do not remember special-casing USB block devices in the
> past).
HAL seems to do the same (hald/linux/blockdev.c:894):

} else if (strcmp (bus, "mmc") == 0) {
...
	is_hotpluggable = TRUE;
...
	break;
}

You might be right about such assumption being a security hole, however Debian 
etch will be released with pmount and HAL, which follow such policy, but are 
not considered RC buggy. Why is udev involved here? Incorrect permissions 
prevent a user to format removable media (no workaround) and in KDE 
mediamanager case, to eject the device since mediamanager uses /usr/bin/eject 
binary (which is run as effective user) directly. However, I'll do my best to 
workaround this limitation by implementing eject via HAL action (then HAL 
starts 'eject' as root so no permission problem; only HAL policy is 
followed).

Attachment: pgpTSYMY82eHN.pgp
Description: PGP signature


Reply to: