[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-devel-list
Subject:    Re: Restricting automounting of uncommon filesystems?
From:       Neal Gompa <ngompa13 () gmail ! com>
Date:       2023-07-23 15:25:12
Message-ID: CAEg-Je8BZxZjPxTf49=oM38n+=0FVOvTua7NKzU7g8yxtoK2YQ () mail ! gmail ! com
[Download RAW message or body]

On Sun, Jul 23, 2023 at 11:08 AM Eric Sandeen <esandeen@redhat.com> wrote:
>
> On 7/22/23 9:12 AM, Neal Gompa wrote:
> > On Sat, Jul 22, 2023 at 9:53 AM Florian Weimer <fweimer@redhat.com> wrote:
> >>
> >> * Matthew Garrett:
> >>
> >>> a) Does this seem like a good idea?
> >>> b) If so, is dealing with it via udev rules the right approach? This way
> >>> seems desktop-agnostic
> >>> c) Where should it ship, and what should the process be for disabling it
> >>> for people who need this functionality?
> >>
> >> Maybe a first step would be to disable automounting while the screen is
> >> locked.
> >>
> >>> Long-term I'd love to see more work put into having FUSE support for
> >>> these and leaving the in-kernel fs to stuff we know is trustworthy, but
> >>> that's rather more work.
> >>
> >> Fedora moved in the opposite direction (from gvfs to unprivileged
> >> mounting via udisks2 IIRC).
> >>
> >
> > Several years ago, SUSE distributions moved to disabling the modules
> > by default for a number of filesystems, but making it pretty easy to
> > turn them back on:
> > https://github.com/openSUSE/suse-module-tools/pull/5
>
> That's approaching it from the wrong angle, IMHO. It's not that you
> don't want to be able to mount these filesytems at all, it's that you
> don't want let any random unprivileged user do so.
>
> If the system administrator wants to mount $UNCOMMONFS, they should be
> able to do so without hassle, but that doesn't mean that a normal user
> who got handed a sketchy USB stick at a conference should be able to do
> so with no restrictions at all.
>

So then some kind of configuration to udisks2 to have a similar effect?



-- 
真実はいつも一つ！/ Always, there's only one truth!
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[prev in list] [next in list] [prev in thread] [next in thread]