On 4/8/25 5:11 AM, Richard Weinberger wrote:
On Mon, Apr 7, 2025 at 9:08 PM Darrick J. Wong djwong@kernel.org wrote:
It's also the default policy on Debian 12 and RHEL9 that if you're logged into the GUI, any program can run:
$ truncate -s 3g /tmp/a $ mkfs.hfs /tmp/a $ <write evil stuff on /tmp/a> $ udisksctl loop-setup -f /tmp/a $ udisksctl mount -b /dev/loopX
and the user never sees a prompt. GNOME and KDE both display a notification when the mount finishes, but by then it could be too late. Someone should file a CVE against them too.
At least on SUSE orphaned and other problematic filesystem kernel modules are blacklisted. I wonder why other distros didn't follow this approach.
To be clear, RHEL9 ships a very limited set of filesystems, and as a result does not ship any of these oddball/orphaned filesystems.
While I agree w/ Darrick that the silent automounter is a risk in general, even for well-maintained filesystems, for distros like RHEL the attack surface is much more limited because the most problematic filesystems aren't available.
Not saying it solves the problem completely, just saying it's not as egregious as it might look from the original example.
Thanks, -Eric