https://bugzilla.novell.com/show_bug.cgi?id=308867 User szaka@ntfs-3g.org added comment https://bugzilla.novell.com/show_bug.cgi?id=308867#c22 --- Comment #22 from Szabolcs Szakacsits <szaka@ntfs-3g.org> 2008-11-07 07:53:47 MST --- This is the very short story of the ntfs-3g security problems from over one year ago. All and even more were fixed in January and February of 2008. I can provide real person names offline if requested. A Fedora user noticed that if ntfs-3g and everything else is configured the documented way for unprivileged mounts to mount NTFS volumes then users can indeed mount unprivileged any NTFS volume. This was the intended behavior by design for those who needed this feature by explicit configuration (not default) but the user believed it is a security problem. A security advisory was issued by Fedora what other distributions followed without checking out the technical details. A Red Hat employee from their security team later confirmed me in private that the security analyses was incorrect what he approved. During the same time Ludwig Nussel from SUSE has found an unrelated, real local root exploit (much higher severity). This was never disclosed to the public but the incorrect security advisory is used today as a proxy. The CVE is still not analysed/confirmed. The solution would have been not trivial and involved the cooperation of several teams. Since the beginning of this year ntfs-3g has no dependency on FUSE user space and we was able to fully audit and fix all discovered security issues in ntfs-3g. Please note, the above doesn't mean setuid-root use would be encouraged by NTFS-3G. Actually just the opposite. But it's there for those who want to run (not only mount) ntfs-3g unprivileged. The user/user fstab option issue could be fixed if mount(8) called the mount.ntfs-3g mount helper privileged. Otherwise setuid-root ntfs-3g is required. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.