[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: 398254 is a security bug (SUID permission is 755 instead of 700 during installation)

>> I belive it is a security bug, non allowed user could use fuse.
>> Do not raise priority because it will only allow a user to do something mad on his own account, and race windows is tiny.
> Except /dev/fuse already has the right permissions per udev rules, so
> fusermount is actually useless for users not in the fuse group.

The problem is more subtle during installation fusermount is SUID,
owned by root and executable by other. Therefore permission on
/dev/fuse are not checked. After post inst run, fusermount will not be
executable by other. But they exist a windows between copy and post
inst rule when fusermount could be used by everybody.


PS: BTW it is bug 502300

Reply to: