On Thu, Aug 17, 2023 at 09:47:48AM -0500, Eric Sandeen wrote: > > Just to play devil's advocate here - (sorry) - I don't see this as any > different from any other "malicious" filesystem image. > > I've never been a fan of the idea that malicious images are real security > threats, but whether the parking lot USB stick paniced the box in an > unexpected way or "on purpose," the result is the same ... > > I wonder if it might make sense to put EXT4_MOUNT_ERRORS_PANIC under a > sysctl or something, so that admins can enable it only when needed. Well, if someone is stupid enough to plug in a parking lot USB stick into their system, they get everything they deserve. And a forced panic isn't going to lead a more privilege escalation attack, so I really don't see a problem if a file system which is marked "panic on error", well, causes a panic. It's a good way of (harmlessly) punishing stupid user tricks. :-) The other way of thinking about it is that if your threat model includes an attacker with physical access to the server with a USB port, attacks include a cable which has a USB port on one side, and a 120V/240V AC mains plug on the the other. This will very likely cause a system shutdown, even if they don't have automount enabled. :-) - Ted
