Your message dated Thu, 21 Jan 2016 04:13:10 +0100
with message-id <56a04cc6.5030...@debian.org>
and subject line Re: [Pkg-utopia-maintainers] Bug#812153: Bug#812153:
policykit-1: allows ordinary users to mount filesystems
has caused the Debian Bug report #812153,
regarding policykit-1: allows ordinary users to mount filesystems
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
812153: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812153
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: policykit-1
Version: 0.105-14.1
Severity: grave
Tags: security
Hi.
Apparently polkit (or at least I guess it's ultimately the offender here,
if not please reassign accordingly) allows ordinary users to mount any
filesystem per default.
E.g. such connected via USB, or set up via losetup.
At least that works so e.g. via nautilus,.. wich disturbingly seem to do
that even automatically though nothing from that attached device/fs was
accessed... o.O
Since such filesystems may have totally different user/group owners
or even none and be world wrtiable (e.g. with *FAT filesystems) and since
they may contain any sensitve data frm keys to secret source code, etc.,
this is a grave security breach.
May not matter that much on a notebook or tablet, but one should hope that
even nowadays Debian isn't just made for those people,.. and there are
perhaps still some other systems out there were devices with such filesystems
are connected and where uses have direct and/or remote accesses, but where
they should not be able to mount any fs.
Since it has been the long standing behaviour of UNIX/Linux ever, that normal
users cannot mountfilesystems unless explicitly allowed, please revert to
that behaviour.
Cheers,
Chris.
--- End Message ---
--- Begin Message ---
Am 21.01.2016 um 03:52 schrieb Christoph Anton Mitterer:
> Control: reopen -1
> Control: reassign -1 udisks2
>
> On Thu, 2016-01-21 at 03:39 +0100, Michael Biebl wrote:
>> Policykit is the wrong package. What you look for is udisks, most
>> likely.
> I went through /usr/share/polkit-
> 1/actions/org.freedesktop.udisks2.policy but all settings there seem to
> be auth_admin and none seems to be specifically for removable devices.
>
>> And what you say is not true, only removable drives are
>> automounted, and that is deliberate and not going to change.
> It's still breaking long standing behaviour. You cannot just add such
> security regressions and call it "deliberate" thus "not going to
> change".
This behaviour has been since 2000 or so, since at least the
introduction of hal and pmount.
> Especially since any device can be removable... people connect normal
> hard disks via USB/SATA gateways, which are detected as such as well.
>
> If Debian introduces behaviour that likely allows access to data where
> normal users shouldn't have access, than this should be an opt-in.
You don't gain anything security wise by not allowing removable media to
be mounted. The only thing it will cause for sure is inconvenience.
> Thus reopening.
Please don't reopen anymore, or I'll ask bts listmaster to block your
address.
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
--- End Message ---
