[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-devel-list
Subject:    Re: Restricting automounting of uncommon filesystems?
From:       "Richard W.M. Jones" <rjones () redhat ! com>
Date:       2023-07-24 12:47:05
Message-ID: 20230724124705.GD7781 () redhat ! com
[Download RAW message or body]

On Sun, Jul 23, 2023 at 11:18:45PM -0400, Demi Marie Obenour wrote:
> On 7/23/23 12:10, Solomon Peachy via devel wrote:
> > On Sun, Jul 23, 2023 at 11:25:12AM -0400, Neal Gompa wrote:
> >>> If the system administrator wants to mount $UNCOMMONFS, they should be
> >>> able to do so without hassle, but that doesn't mean that a normal user
> >>> who got handed a sketchy USB stick at a conference should be able to do
> >>> so with no restrictions at all.
> >>>
> >>
> >> So then some kind of configuration to udisks2 to have a similar effect?
> > 
> > And we're right back at square one, with the *overwhelmingly* common case 
> > of a single-user system whose "admin" is sitting in front of the system.
> > 
> > Of _course_ they want to mount the disk.  It's why they plugged it in, 
> > and they don't give two hoots if it's a "common filesystem" or not.
> > 
> > (FFS, most of the stuff I personally plug in these days is ext4 or ntfs, 
> > because fat32 sucks and I can't rely on exfat on all systems I need to 
> > interoperate with)
> > 
> > And let's be realistic here -- the overwhelmingly common threat model 
> > here is that there are untrusted files on a correctly-formed filesystem.  
> > Bad guys rarely need or care to get root on the system; what they're 
> > after requires normal, non-elevated user permissions.
> > 
> > Prompting users 'are you sure you want to use this device' will turn a 
> > "yes" into an automatic reflex.  Not automounting by default will just 
> > add another thing to the "things to change on default fedora 
> > installations" lists out there (ie right after the "enable freshrpms and 
> > install modern video codecs" step), becuase it's a usability nightmare.
> > 
> > In the "usability vs security" tradeoff, usability/convenience *always* 
> > wins unless you're at a place that has armed guards at the door with 
> > instructions to shoot first.
> > 
> >  - Solomon
> 
> Then the mount needs to be done in a sandbox, such as a KVM guest or
> sandboxed userspace process.

This is what libguestfs does (KVM guest).

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[prev in list] [next in list] [prev in thread] [next in thread]