[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-devel-list
Subject: Re: Restricting automounting of uncommon filesystems?
From: "Richard W.M. Jones" <rjones () redhat ! com>
Date: 2023-07-24 12:47:05
Message-ID: 20230724124705.GD7781 () redhat ! com
[Download RAW message or body]
On Sun, Jul 23, 2023 at 11:18:45PM -0400, Demi Marie Obenour wrote:
> On 7/23/23 12:10, Solomon Peachy via devel wrote:
> > On Sun, Jul 23, 2023 at 11:25:12AM -0400, Neal Gompa wrote:
> >>> If the system administrator wants to mount $UNCOMMONFS, they should be
> >>> able to do so without hassle, but that doesn't mean that a normal user
> >>> who got handed a sketchy USB stick at a conference should be able to do
> >>> so with no restrictions at all.
> >>>
> >>
> >> So then some kind of configuration to udisks2 to have a similar effect?
> >
> > And we're right back at square one, with the *overwhelmingly* common case
> > of a single-user system whose "admin" is sitting in front of the system.
> >
> > Of _course_ they want to mount the disk. It's why they plugged it in,
> > and they don't give two hoots if it's a "common filesystem" or not.
> >
> > (FFS, most of the stuff I personally plug in these days is ext4 or ntfs,
> > because fat32 sucks and I can't rely on exfat on all systems I need to
> > interoperate with)
> >
> > And let's be realistic here -- the overwhelmingly common threat model
> > here is that there are untrusted files on a correctly-formed filesystem.
> > Bad guys rarely need or care to get root on the system; what they're
> > after requires normal, non-elevated user permissions.
> >
> > Prompting users 'are you sure you want to use this device' will turn a
> > "yes" into an automatic reflex. Not automounting by default will just
> > add another thing to the "things to change on default fedora
> > installations" lists out there (ie right after the "enable freshrpms and
> > install modern video codecs" step), becuase it's a usability nightmare.
> >
> > In the "usability vs security" tradeoff, usability/convenience *always*
> > wins unless you're at a place that has armed guards at the door with
> > instructions to shoot first.
> >
> > - Solomon
>
> Then the mount needs to be done in a sandbox, such as a KVM guest or
> sandboxed userspace process.
This is what libguestfs does (KVM guest).
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic