Comment # 18 on bug 1089408 from Matthias Gerstner

(In reply to Thomas Blume from comment #8)
> Security team, could you please take a look at the potential security risk
> outlined in comment#5 and give an assessment?

Well this is a complex topic as you all already pointed out in the discussions.

Basically I would say that plugging in an untrusted storage device is an issue
to begin with. There are attack vectors on the kernel side of things or on the
low file system side. So the files that appear in the file system are actually
only one of the last (and most obvious) layers where security is concerned.

Having all files mounted executable gives more room for undesired execution
e.g. by mistyping a command line or simply double clicking in a file manager
(which, again, depends on the file manager implementation, what actually is
executed). We also have things like indexing programs that process e.g. images
and produce thumbnails of them. So even without executable bits there is
already attack surface.

For me personally the question has always been whether it is of any use to have
FAT files mounted executable. If they're foreign executables from e.g. a
Windows system then I can't execute them directly anyways. If they're actual
Linux binaries or scripts ... I personally would like to use a file system that
supports basic UNIX permissions. Also for me it would be rather uncommon to
execute programs from a removable device at all. But that is all a matter of
personal style and use cases. Still I somehow have the feeling that the use
case of wanting to execute something from a removable device is not something
that happens often.

Based on the observation that there are a lot of other security issues that hit
when mounting an untrusted device I am somewhat inclined to follow the best
usability / user experience in this case. Whatever that would be ;-)