On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote: > On Fri, 03 Mar 2006, Loïc Minier wrote: > > On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote: > > > True. But that requires a broken kernel, which we patch regularly as a > > > security procedure anyway. Mounting removable filesystems suid,dev allow > > > a > > > lot more damage *by design* in the standard Linux security-model. > > > > And we also support avahi security-wise, and would patch it in the case > > of a knwon vulnerability. > Nobody ever implied that avahi is badly maintained. And unless mdns/avahi > is somehow being shipped configured in such a way so as to allow for > immediate local root priviledge escalations, I don't think I understood the > point you wanted to make.
You were making the point that it's a security bug to mount USB sticks automatically without nodev and nosuid, and people responded to you that it was already a security risk to mount a filesystem automatically. You finally replied that implies a borken kernel and the kernel is supported security-wise. My point was to draw the following parallel: - mounting a filesystem automatically <=> listening on the network - kernel vulnerable <=> avahi vulnerable - kernel supported security-wise <=> avahi supported security-wise (- protecting with nodev nosuid <=> not having anything advertized) > I stated that the fact that an hipotetic kernel bug *also* allows for local > root exploits through a nosuid,nodev removable filesystem does *not* excuse > us to have removable filesystems being mounted suid,dev, which depending on > the filesystem type allows for immediate local root privilege escalation, > *by* *design*. Which I completely agree with. But by default, no music is shared via avahi, so it would require a bug in avahi (exactly like it would require a bug in the kernel) to do anything nasty. Cheers, -- Loïc Minier <[EMAIL PROTECTED]> Current Earth status: NOT DESTROYED -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
