Re: [squeeze] permission to upload thunar-volman

To: Yves-Alexis Perez <corsac@debian.org>
Cc: debian-release <debian-release@lists.debian.org>
Subject: Re: [squeeze] permission to upload thunar-volman
From: Philipp Kern <pkern@debian.org>
Date: Thu, 3 Mar 2011 21:10:45 +0100
Message-id: <[🔎] 20110303201045.GA11954@thrall.0x539.de>
In-reply-to: <1298063610.28793.24.camel@hidalgo>
References: <1298063610.28793.24.camel@hidalgo>

Yves-Alexis,

am Fri, Feb 18, 2011 at 10:13:30PM +0100 hast du folgendes geschrieben:
> would it be possible to make a stable upload, targeted at 6.0.1 or
> 6.0.2, to disable default automount/autobrowse in thunar-volman?
> 
> It's only a matter of shipping a config file, so the following diff
> should do the trick:
> 
> +  * debian/thunar-volman.xml:
> +    - disable device automount/autorun/autobrowse by default

> --- thunar-volman-0.3.80.orig/debian/thunar-volman.xml
> +++ thunar-volman-0.3.80/debian/thunar-volman.xml
> @@ -0,0 +1,16 @@
> +<?xml version="1.0" encoding="UTF-8"?>
> +
> +<channel name="thunar-volman" version="1.0">
> +  <property name="automount-media" type="empty">
> +    <property name="enabled" type="bool" value="false"/>
> +  </property>
> +  <property name="automount-drives" type="empty">
> +    <property name="enabled" type="bool" value="false"/>
> +  </property>
> +  <property name="autobrowse" type="empty">
> +    <property name="enabled" type="bool" value="false"/>
> +  </property>
> +  <property name="autoopen" type="empty">
> +    <property name="enabled" type="bool" value="false"/>
> +  </property>
> +</channel>

I don't get this.  You're talking about autorun but all you disable is
autoopen.  To recap: autorun checks for the presence of `.autorun',
`autorun' and `autorun.sh', asks for a confirmation and runs the
script.  autoopen checks for `.autoopen' and asks for a confirmation
to open the selected file.

Either both need to be disabled or none (given that there's a confirmation
involved).

But then I'm not at all convinced that we should do this change in stable.
If it's a consensus to do it because of the security problems, then all DEs
should get such changes (preferably by way of DSA so that's it's properly
announced, it's a behaviour change after all).  If it's not then why is
only xfce doing it.

I see the point of vulnerable thumbnailers, of course.  But then you have
the same problem when browsing the web and someone exploiting your system.
We need to fix those thumbnailers.  (On shared NFS or CIFS mounts it'd
still be exploitable.)  And for wheezy look into the containment of those
like Ubuntu does.

So that's a weak NACK at this point, sorry.

Kind regards
Philipp Kern

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: [squeeze] permission to upload thunar-volman
  - From: Yves-Alexis Perez <corsac@debian.org>

Prev by Date: Re: stable update of reprepro
Next by Date: Re: suggested mcabber updates for 6.0.1
Previous by thread: Bug#616464: reprepro for 6.0.2
Next by thread: Re: [squeeze] permission to upload thunar-volman
Index(es):
- Date
- Thread