Re: avahi-daemon
On Fri, 03 Mar 2006, Michael Stone wrote:
> On Fri, Mar 03, 2006 at 10:47:56AM -0300, Henrique de Moraes Holschuh wrote:
> >Mounting malicious filesystems automatically (vfat can't be one AFAIK, but
> >it won't bork if you tell it to be nosuid, nodev either) is never a
> >feature,
> >it is a security hole.
>
> Well, a filesystem can be malicious whether it's mounted nosuid or not.
> Consider the case of a crafted directory structure that tickles a kernel
> bug, for example. There's no question that making things easier for
True. But that requires a broken kernel, which we patch regularly as a
security procedure anyway. Mounting removable filesystems suid,dev allow a
lot more damage *by design* in the standard Linux security-model.
So, I repeat my question: should we hunt down and file bugs (grave or worse)
on packages automounting removable media without nosid, nodev ?
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: