Not logged in
Log in now
Create an account
Subscribe to LWN
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
But otherwise yes, the fuzzer uses loop back filesystems for testing. The thing about USB sticks is that most distros automount them when you plug them in.
Probably they should not automount less used filesystems.
A story of three kernel vulnerabilities
Posted Feb 20, 2013 9:54 UTC (Wed) by josh (subscriber, #17465)
Posted Feb 20, 2013 12:48 UTC (Wed) by robert_s (subscriber, #42402)
In an ideal world of course, it would be possible to run all filesystem drivers as FUSE modules or in kernel.
Posted Feb 20, 2013 13:39 UTC (Wed) by robert_s (subscriber, #42402)
Replying to myself - upon reading to the bottom of these comments it seems libguestfs can do this to some extent.
Perhaps a security-conscious distribution should consider doing auto-mounting of any "removable" block devices through such a mechanism.
Posted Feb 20, 2013 14:31 UTC (Wed) by drag (subscriber, #31333)
FUSE still goes to through kernel file system interface, and then you have all the file system code, and the setuid fuse binaries and special permissions that the user has to have to access /dev/fuse.
It seems to me to be a attempt to throw code and complexity to obsofgate (sp?) a potential security hole. It just seems to be a better to approach just to fix the code.
Also I am pretty sure that if somebody plugs a device into a machine they have the full intention of mounting it to see what is on it. Having a 'ack' button may be useful in a case where you do not want a device mounted while you are away from the computer and the screen is locked, but besides that having a extra step the user must go through to mount it would serve little purpose. It may make people feel more comfortable or help people (like me) that tend to do odd things with flash file systems that precludes mounting them.
This is the case were potentially some sort of 'anti-virus' code may be useful to validate the device before mounting it, but that seems to open up a whole new can of worms.
Posted Feb 20, 2013 14:48 UTC (Wed) by robert_s (subscriber, #42402)
Well you'd better tell the authors of libguestfs then (largely RedHat) as security seems to be its main intention.
If you're saying that an exploit granting access to a user space program is just as dangerous as it having access to kernel space, I think most people would disagree with you.
The point is not whether or not the user wants to mount the device - let's take it for granted that they do, so confirmation is irrelevant. It's whether that USB stick that was just handed to them at a conference is able to directly exploit their kernel on insertion through a specially crafted filesystem.
"Just fix"ing "the code" in this case means "always getting all filesystem code 100% right 100% of the time".
Posted Feb 20, 2013 16:01 UTC (Wed) by drag (subscriber, #31333)
I am saying that taking a security problem that exists in kernel space and then trying to fix it by moving to a mixture of kernel space and userspace and throwing in a couple setuid root binaries isn't a silver bullet.
Fuse requires kernel file system features as well as setuid root binaries to operate properly. Without granting users access to /dev/fuse you can't 'mount' fuse file systems. Just granting users the ability to use fuse is a security risk in itself.
Now if you were to say that you wanted to use something like GVFS, which itself doesn't require any special privileges or fuse mounts or anything like that, then that's different. That is completely in a user account, but it's not POSIX compatible and requires programs to be GVFS aware.
Posted Feb 20, 2013 16:07 UTC (Wed) by drag (subscriber, #31333)
Posted Feb 21, 2013 19:40 UTC (Thu) by alonz (subscriber, #815)
So I, for one, really don't get your point.
Posted Feb 20, 2013 20:33 UTC (Wed) by josh (subscriber, #17465)
they have the full intention of mounting it to see what is on it
Posted Feb 28, 2013 21:20 UTC (Thu) by Wol (guest, #4433)
Assuming the automount works even if the screen is locked (as I get the impression is often the case), this is a perfect way of breaking into someone else's machine. If the exploit opens a root shell on a secret port, that machine is now owned ...
So in that case, the user knows exactly what is on it. They want to see what's on the machine.
So a confirmatory pop-up (as I get on my gentoo system) *is* a very effective security step.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds