On Sun, Jan 28, 2018 at 06:11:51PM +0100, who one wrote:
> Hello,
>
> "> And what are you defending against?"
>
> there was/is a great guy that investigated the security of the BSDs, reported
> a few bugs too:
>
> https://www.youtube.com/watch?v=rRg2vuwF1hY&feature=youtu.be&t=1522
>
> that lead to ex.:
>
> https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/017_fuse.patch.sig
> [...]
By that logic, you've just disabled a piece of code that someone (Helg)
is actively working on and that has security issues fixed. What makes
you so sure there are no deadly bugs in, say, the FAT code? Or drivers
for rare-ish network cards? Or the ~120k lines of code that make up the
driver for Intel graphics cards?
Of course running less code means less of an attack surface. Just make
sure you're actually improving security if that's your goal, not just
diddling around on the fringes of your system and feeling secure because
Fuse is disabled while you're running Chrome which has access to your
~/.ssh/id_ed25519 or ~/.bitcoin/wallet.dat.
> [...]
> So would the mentioned method, by removing the "grep -i fuse
> /sys/conf/GENERIC" and doing re-compile would "disable FUSE"?
> [...]
If would. But as already mentioned by other people, the barriers to Fuse
are relatively high (You need code exec as root to fiddle with
/dev/fuse0), while code you're actually running may have more of an
impact on your security situation.
--
Gregor
