https://bugzilla.novell.com/show_bug.cgi?id=293429#c12 Bernhard Kaindl <bk@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bk@novell.com Status|NEEDINFO |NEW Info Provider|bk@novell.com | --- Comment #12 from Bernhard Kaindl <bk@novell.com> 2007-09-18 16:04:59 MST --- To sum up: The security team's claim (I refuted it on the top of comment 8)
/sbin/mount.ntfs-3g does not need to be setuid root, it is called root:root as helper already.
is not true. The team's suggestion was based on this, so it does not work. I now also checked the source, it unconditionally does setuid(getuid()); setgid(getgid()); to restore drop the euid+egid and restore normal user uid/gid before calling the mount helper. I have looked at the ntfs-3g code and as Szaka said, it drops privileges after the mount itself completed. Before the euid is dropped, the command line options are parsed and the fuse mount library is called. That library is used by fusermount for the same purpose and and already using suid root: $ grep fuse /etc/permissions* /etc/permissions.easy:/usr/bin/fusermount root:trusted 4755 /etc/permissions.secure:/usr/bin/fusermount root:trusted 4750 /etc/permissions.paranoid:/usr/bin/fusermount root:trusted 0755 So the only code which is not yet used suid root is the command line option parsing in ntfs-3g, which is fairly simple and should be easy to audit. I have not seen any flaw in it so far, but I do not have the responsibility to judge it. ---------------------------------------------------------------------------------- My personal opinion is that as it's currently used, the user approach lacks support for hotplugging, so I think that to do it properly we'd have to use hal. I thought that, ntfs-config, the program which I hoped could make it all "just work" seems to be quite broken in several ways and does not do at all what I hoped: I thought that it would be integrated with hal, but the only thing which it does with hal is that it installs an fdi file in /etc/hal/fdi/policy which changes the fstype of hotpluggable ntfs partitions to ntfs-3g and allows the hal mount users to use the ntfs-3g locale mount option, but that's all. Besides that, it fully depends on root rights, does not mount thru hal but directly with mount and creates fstab entries for the USB and firewire disks which it sees, which locks out users of hal in two ways: * Since the filessystems are not mounted by hal, they cannot be unmounted thru hal * Since they are listed in /etc/fstab, they cannot be mounted thru hal Further observations: * It uses the non-persistent /dev/sd[a-z][number] instead /dev/disk-by-id/{id}, so if you ever connect a different USB or FireWire disk than the one it put into /dev/fstab, things break disks are not identified in any way. * In the medium-size, very diverse test setup with two identical USB disk drives (which which can be only identified by their differing disk-by-id and their different partitions), one FireWire disk and two more USB disks, it seems to add all partitions to /etc/fstab, but mounts only 2 of them and while I shows even 4 partitions in the second run, it still does nothing when (un)checking the read-write checkboxes for the other two partitions. * It already takes a quite few seconds to probe all disks (before showing anything to the user) which I connected in this setup. While changing ntfs-config to use hal might be something good to do, as that should solve the issues, I have difficulty to think that it could reach the 10.3 gold master. So if we want to allow the user to mount NTFS partitions read-write without requiring him to use the shell to mount it as root by hand, we have to give ntfs-3g root privileges. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.