On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote: > > Well, no: that's the opposite of plug'n'play. See, if you're USB stick > > contains a malicious vfat file system, it gets automatically mounted > > nevertheless. It's a feature. > Not in my servers, it doesn't. And I should add, not even in my desktops: > all removable filesystems are mounted nodev, nosuid.
Oh, and that was certainly the default when you pulled in GNOME? > Mounting malicious filesystems automatically (vfat can't be one AFAIK, but > it won't bork if you tell it to be nosuid, nodev either) is never a feature, > it is a security hole. vfat and iso9660 had holes in the FS drivers themselves recently IIRC. > Actually, should we not file security bugs against everything that comes > configured to mount removable filesystems out-of-the box and does so without > specifying nodev, nosuid ? Think just before that: it's not only the mount options, it's the simple mounting which is risky. It's not music sharing, it's listening on the network. Cheers, -- Loïc Minier <[EMAIL PROTECTED]> Current Earth status: NOT DESTROYED -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
