Re: avahi-daemon

To: debian-security@lists.debian.org
Subject: Re: avahi-daemon
From: Loïc Minier <lool+debian@via.ecp.fr>
Date: Fri, 3 Mar 2006 18:50:16 +0100
Message-id: <[🔎] 20060303175016.GB22267@bee.dooz.org>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20060303134756.GB11560@khazad-dum.debian.net>
References: <98a18b470602220411n4704cacg61cab8cae197e504@mail.gmail.com> <43FC60FC.7080001@gmx.net> <20060222143022.GE17249@bee.dooz.org> <43FC8BE6.5040902@gmx.net> <20060222165940.GP17596@linuxmafia.com> <20060223110450.GA4991@javifsp.no-ip.org> <[🔎] 20060302200627.GF6022@bee.dooz.org> <[🔎] 440815DB.5030307@gmx.net> <[🔎] 20060303133638.GO6022@bee.dooz.org> <[🔎] 20060303134756.GB11560@khazad-dum.debian.net>

On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> >  Well, no: that's the opposite of plug'n'play.  See, if you're USB stick
> >  contains a malicious vfat file system, it gets automatically mounted
> >  nevertheless.  It's a feature.
> Not in my servers, it doesn't.  And I should add, not even in my desktops:
> all removable filesystems are mounted nodev, nosuid.

 Oh, and that was certainly the default when you pulled in GNOME?

> Mounting malicious filesystems automatically (vfat can't be one AFAIK, but
> it won't bork if you tell it to be nosuid, nodev either) is never a feature,
> it is a security hole.

 vfat and iso9660 had holes in the FS drivers themselves recently IIRC.

> Actually, should we not file security bugs against everything that comes
> configured to mount removable filesystems out-of-the box and does so without
> specifying nodev, nosuid ?

 Think just before that: it's not only the mount options, it's the
 simple mounting which is risky.  It's not music sharing, it's listening
 on the network.

   Cheers,

-- 
Loïc Minier <lool@dooz.org>
Current Earth status:   NOT DESTROYED

Reply to:

Follow-Ups:
- Re: avahi-daemon
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Re: avahi-daemon
  - From: Loïc Minier <lool+debian@via.ecp.fr>
- Re: avahi-daemon
  - From: aliban <aliban@gmx.net>
- Re: avahi-daemon
  - From: Loïc Minier <lool+debian@via.ecp.fr>
- Re: avahi-daemon
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: avahi-daemon
Next by Date: Re: avahi-daemon
Previous by thread: Re: avahi-daemon
Next by thread: Re: avahi-daemon
Index(es):
- Date
- Thread