[Pkg-utopia-maintainers] Bug#812153: policykit-1: allows ordinary users to mount filesystems

Christoph Anton Mitterer calestyo at scientia.net
Thu Jan 21 02:33:23 UTC 2016


Package: policykit-1
Version: 0.105-14.1
Severity: grave
Tags: security


Hi.

Apparently polkit (or at least I guess it's ultimately the offender here,
if not please reassign accordingly) allows ordinary users to mount any
filesystem per default.
E.g. such connected via USB, or set up via losetup.
At least that works so e.g. via nautilus,.. wich disturbingly seem to do
that even automatically though nothing from that attached device/fs was
accessed... o.O

Since such filesystems may have totally different user/group owners
or even none and be world wrtiable (e.g. with *FAT filesystems) and since
they may contain any sensitve data frm keys to secret source code, etc.,
this is a grave security breach.


May not matter that much on a notebook or tablet, but one should hope that
even nowadays Debian isn't just made for those people,.. and there are
perhaps still some other systems out there were devices with such filesystems
are connected and where uses have direct and/or remote accesses, but where
they should not be able to mount any fs.

Since it has been the long standing behaviour of UNIX/Linux ever, that normal
users cannot mountfilesystems unless explicitly allowed, please revert to
that behaviour.

Cheers,
Chris.



More information about the Pkg-utopia-maintainers mailing list