On Mon, Apr 7, 2025 at 9:08 PM Darrick J. Wong djwong@kernel.org wrote:
It's also the default policy on Debian 12 and RHEL9 that if you're logged into the GUI, any program can run:
$ truncate -s 3g /tmp/a $ mkfs.hfs /tmp/a $ <write evil stuff on /tmp/a> $ udisksctl loop-setup -f /tmp/a $ udisksctl mount -b /dev/loopX
and the user never sees a prompt. GNOME and KDE both display a notification when the mount finishes, but by then it could be too late. Someone should file a CVE against them too.
At least on SUSE orphaned and other problematic filesystem kernel modules are blacklisted. I wonder why other distros didn't follow this approach.
You can tighten this up by doing this:
# cat > /usr/share/polkit-1/rules.d/always-ask-mount.rules << ENDL // don't allow mounting, reformatting, or loopdev creation without asking polkit.addRule(function(action, subject) { if ((action.id == "org.freedesktop.udisks2.loop-setup" || action.id == "org.freedesktop.udisks2.filesystem-mount" || action.id == "org.freedesktop.udisks2.modify-device") && subject.local == true) { return polkit.Result.AUTH_ADMIN_KEEP; } }); ENDL
Thanks for sharing this!
so at least you have to authenticate with an admin account. We do love our footguns, don't we? At least it doesn't let you do that if you're ssh'd in...
IMHO guestmount and other userspace filesystem implementations should be the default for such mounts.
//richard