Re: avahi-daemon
On Fri, 03 Mar 2006, Loïc Minier wrote:
> On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> > > Well, no: that's the opposite of plug'n'play. See, if you're USB stick
> > > contains a malicious vfat file system, it gets automatically mounted
> > > nevertheless. It's a feature.
> > Not in my servers, it doesn't. And I should add, not even in my desktops:
> > all removable filesystems are mounted nodev, nosuid.
>
> Oh, and that was certainly the default when you pulled in GNOME?
I have purged GNOME in deference to their lousy practices, so I wouldn't
know. KDE tried to do that for a while, but it seems to have disabled it
again (or it is buggy).
And I am probably going to raise the issue with the package maintainers as
soon as I have the time to verify the status of all the automounting
packages in Debian, which will take a while.
If their default is suid,dev, that will have to change.
> > Actually, should we not file security bugs against everything that comes
> > configured to mount removable filesystems out-of-the box and does so without
> > specifying nodev, nosuid ?
>
> Think just before that: it's not only the mount options, it's the
> simple mounting which is risky. It's not music sharing, it's listening
> on the network.
If automounting of removable filesystems is defaulting to enabled, that will
also be an issue to be addressed, sure.
But music sharing isn't designed to allow for local root exploits, is it?
Mounting unix-compatible filesystems in dev,suid modes is. If you're
worried we are holding mdns apps to a different standard, don't. It's just
a matter of what is in the radar right now ;-)
I will have to check first if the kernel is taking some extra care, as that
might reduce the number of affected packages.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: