From: Werner B. <wer...@on...> - 2008-08-31 18:48:51
|
Szabolcs Szakacsits wrote: > On Sun, 31 Aug 2008, Werner Baumann wrote: > >> I am concerned about security implications of uncontrolled usermounts >> and measures to make them secure. Something like you find in >> doc/kernel.txt in the fuse-package. >> >> In the ntfs-3g man page I find this: >> >> ntfs-3g is an NTFS driver, which can create, remove, rename, move files, >> directories, hard links, and streams; it can read and write files, >> including streams and sparse files; it can handle special files like >> symbolic links, devices, and FIFOs; moreover it can also read >> transparently compressed files. ... Access Handling and Security By >> default, files and directories are owned by the effective user and group >> of the mounting process and everybody has full read, write, execution and >> directory browsing permissions. If you want to use permissions handling >> then use the uid and/or the gid options together with the umask, or fmask >> and dmask options. >> >> Compared with fuse, it looks like you dropped every security related >> restriction. > > I checked doc/kernel.txt and I can't figure out what you mean we dropped. > From ntfs-3g man-page: it can handle special files like symbolic links, devices, and FIFOs ... By default ... everybody has full read, write, execution and directory browsing permissions. From http://pagesperso-orange.fr/b.andre/security.html: Special ACL configurations are also used to represent the sticky, setuid and setgid flags which have no real equivalent in Windows. Compare to this restriction in doc/kernel.txt: The solution is not to allow opening device files and ignore setuid and setgid bits when executing programs. To ensure this fusermount always adds "nosuid" and "nodev" to the mount options for non-privileged mounts. Nothing dropped? Or do I misunderstand your documentation? > Please provide a specific exploit. Thank you. > No I will not, it is not the kind of thing I am trained in. Are you sure that is impossible to create a windows partition that, when mounted with ntfs-3g, contains executable files, owned by root and setuid? According to http://pagesperso-orange.fr/b.andre/security.html and the man page, I can't see any real obstacle. Cheers Werner |