[Pkg-utopia-maintainers] Bug#556416: hal's automounting of devices can lead to many problems including security realted issues

Christoph Anton Mitterer christoph.anton.mitterer at physik.uni-muenchen.de
Sun Nov 15 22:33:39 UTC 2009 

Package: hal
Version: 0.5.13-3
Severity: important

Hi.

It seems that Debian's default for hal is to mount many different  
kinds of filesystems automatically (removable as well as non-removable).

Actually I think this is not only very bad behaviour but potentially  
also security critical.

Nowadays users, even on servers can barely avoid installing hal as so  
many stuff depends on it.
I think this puts special demands on the maintainers to also take care  
of such users.
Of course I also understand that some well let's say "end users"  
prefer their devices to be automatically mounted.
I suggest the best solution would be to make it configurable via  
debconf, where the user can select which devices should be automounted  
(better said their filesystems). And the user should be warned that  
this can have impacts (see below), and that it happens read-wirtable,  
etc.)
The default however should be definitely to not auto-mount anything.

Now some reasons why IMHO it is a bad idea to automount stuff:
- This is not the out of the box behaviour of Linux/Unix itself and  
users expect that only stuff in fstab can get automatically mounted.
- If one doesn't know of hal's behaviour, one does not recognise that  
filesystems are mounted and simply removes devices without unmounting  
=> data loss possible
- Also the permissions of files on such devices might be set in an  
unsecure way, and the owner that inserts the devices does not want to  
have it mounted per se, because that anyone would be able to read.
- The same applies to filesystems like *FAT* which do not support unix  
like owners/etc. ... thus a filesystem might be automounted with  
unsecure permissions.
- If the filesystem is already damaged, or not cleanly unmounted, it  
can happen that mounting (even if it would be ro) changes the data  
(e.g. the case with ext*) and destroys attempts to make forensics on  
damaged devices
- Simply "inserting" a removable device should not change anything on  
it. This is however easily possible once it's mounted.
- Auto-mounting may introduce problems with privacy laws (e.g. devices  
with private or personal data, which is (once mounted) automatically  
scanned with virus scanners or whatever).
- Auto-mounting usually happens NOT with nosuid, nodev, noexec, etc.  
... which also introduces the possibilities of security problems.


For that (and many other reasons I've not written down). I strongly  
suggest to either deactivate automounting at all,... or make it  
configurable via debconf (with the default at deactivated) and give  
the user warnings with examples as above.


The same should by the way done with hals successor (devicekit) which  
is also maintained by the Utopia Team.

btw: I think this bug should be flagged as security/critical,... I've  
chosen not to do so,.. as this only makes you upset ;) But I suggest  
to increase the priority.

Best wishes,
Chris.


-- System Information:
Debian Release: squeeze/sid
   APT prefers unstable
   APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-fermat (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages hal depends on:
ii  acl                          2.2.48-1    Access control list utilities
ii  adduser                      3.111       add and remove users and groups
ii  consolekit                   0.3.1-2     framework for defining  
and trackin
ii  dbus                         1.2.16-2    simple interprocess  
messaging syst
ii  hal-info                     20090716-1  Hardware Abstraction  
Layer - fdi f
ii  libblkid1                    2.16.1-4    block device id library
ii  libc6                        2.10.1-5    GNU C Library: Shared libraries
ii  libdbus-1-3                  1.2.16-2    simple interprocess  
messaging syst
ii  libdbus-glib-1-2             0.82-2      simple interprocess  
messaging syst
ii  libexpat1                    2.0.1-4     XML parsing C library -  
runtime li
ii  libglib2.0-0                 2.22.2-2    The GLib library of C routines
ii  libhal-storage1              0.5.13-3    Hardware Abstraction  
Layer - share
ii  libhal1                      0.5.13-3    Hardware Abstraction  
Layer - share
ii  libpolkit2                   0.9-4       library for accessing PolicyKit
ii  libusb-0.1-4                 2:0.1.12-13 userspace USB programming library
ii  lsb-base                     3.2-23      Linux Standard Base 3.2  
init scrip
ii  mount                        2.16.1-4    Tools for mounting and  
manipulatin
ii  pciutils                     1:3.1.4-2   Linux PCI Utilities
ii  policykit                    0.9-4       framework for managing  
administrat
ii  udev                         146-6       /dev/ and hotplug  
management daemo
ii  usbutils                     0.86-2      Linux USB utilities

Versions of packages hal recommends:
ii  eject           2.1.5+deb1+cvs20081104-7 ejects CDs and operates  
CD-Changer
ii  pm-utils        1.2.5-4                  utilities and scripts for  
power ma

Versions of packages hal suggests:
ii  gnome-device-manager          0.2-3      GNOME device manager based on HAL

-- no debconf information


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the Pkg-utopia-maintainers mailing list