Re: avahi-daemon
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> > Well, no: that's the opposite of plug'n'play. See, if you're USB stick
> > contains a malicious vfat file system, it gets automatically mounted
> > nevertheless. It's a feature.
> Not in my servers, it doesn't. And I should add, not even in my desktops:
> all removable filesystems are mounted nodev, nosuid.
Oh, and that was certainly the default when you pulled in GNOME?
> Mounting malicious filesystems automatically (vfat can't be one AFAIK, but
> it won't bork if you tell it to be nosuid, nodev either) is never a feature,
> it is a security hole.
vfat and iso9660 had holes in the FS drivers themselves recently IIRC.
> Actually, should we not file security bugs against everything that comes
> configured to mount removable filesystems out-of-the box and does so without
> specifying nodev, nosuid ?
Think just before that: it's not only the mount options, it's the
simple mounting which is risky. It's not music sharing, it's listening
on the network.
Cheers,
--
Loïc Minier <lool@dooz.org>
Current Earth status: NOT DESTROYED
Reply to: