Ian Malone <ibmalone@xxxxxxxxx> writes: > On 8 July 2014 22:33, lee <lee@xxxxxxxxxxxxxxx> wrote: >> Ian Malone <ibmalone@xxxxxxxxx> writes: >> >>> By expecting users to mount attached devices with full-fat mount usage >>> you open the potential for exploits. >> >> How would that happen? A file system is either mounted or not, or is >> it? > > I think I wasn't clear enough. The user doesn't get to run mount > themselves. The system does it for them, in a well-defined place with > set permissions. Neither the system, nor the user should mount something. Only root should do that, knowing what they're doing. > If you're worried about security then what are the > actual risks? > - Worried about users copying data on or off. You need to disable auto > mounting, but you need to do a lot of other things too. When there is no auto mounting, that's one less thing you'd have to disable. > - Things getting mounted in dangerous places, e.g. over / or /bin or a > user's home directory. Doesn't happen. You trust computers too much. > - Things being mounted executable. I've just checked and the default > options I get for FAT are showexec, but this could probably be changed > to prevent it, certainly it gives you a single point the admin could > potentially change it. But files are owned by the user, so setuid > tricks are out. The users can always copy things from things mounted and make them executable. Or they can write their own programs, without mounting anything. When the system mounts things itself, who knows what it might execute. -- Fedora release 20 (Heisenbug) -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
