On 1/30/19 1:59 PM, Andrei Borzenkov wrote:
30.01.2019 19:41, Martin Wilck пишет:
SUSE will blacklist a number of legacy and/or less frequently used file systems by default on SLES for security reasons.
The proposed list can be seen here:
https://github.com/openSUSE/suse-module-tools/pull/5/commits/8cb42fb6658f210...
# The following list only specifies local file systems since those are the # only ones that will be detected automatically by mount(8).
This patch not only blocks auto-detected filesystem types, it also makes mount(8) with *explicit* fstype fail (also in /etc/fstab) unless module implementing this fstype is loaded in advance.
bor@bor-Latitude-E5450:~/src/util-linux$ LC_ALL=C mkfs.cramfs sys-utils/ /tmp/cramfs.loop mkfs.cramfs: warning: gids truncated to 8 bits. (This may be a security concern.) bor@bor-Latitude-E5450:~/src/util-linux$ LC_ALL=C blkid /tmp/cramfs.loop /tmp/cramfs.loop: LABEL="Compressed" TYPE="cramfs" bor@bor-Latitude-E5450:~/src/util-linux$ LC_ALL=C sudo mount -o loop /tmp/cramfs.loop /mnt mount: /mnt: unknown filesystem type 'cramfs'. bor@bor-Latitude-E5450:~/src/util-linux$
Is it intentional?
Yes. Unless mount(8) specifically loads a module, which it doesn't, then the kernel still needs to request the module to be loaded. If an unprivileged user can execute mount with a type to load a crafted image, then there's no protection at all. -Jeff -- Jeff Mahoney SUSE Labs -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org