[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: 398254 is a security bug (SUID permission is 755 instead of 700 during installation)

On Fri, Jan 02, 2009 at 09:37:12PM +0100, Bastien ROUCARIES wrote:
> tags 398254 + security
> tags 398254 + patch
> thanks
> 
> >The postinst of fuse-utils creates the group fuse and sets the
> >permissions of fusermount to root:fuse 4754.  Before that happens,
> >fusermount has the permissions specified in the deb, namely root:root
> >4755.  Thus, during the installation of fuse, any user can mount a
> >FUSE filesystem without needing membership in group fuse.
> 
> I belive it is a security bug, non allowed user could use fuse. 
> Do not raise priority because it will only allow a user to do something mad on his own account, and race windows is tiny.

Except /dev/fuse already has the right permissions per udev rules, so
fusermount is actually useless for users not in the fuse group.

Mike
Reply to: