Automount security concerns?
todd rme
toddrme2178 at gmail.com
Fri Mar 11 20:08:41 GMT 2011
On Fri, Mar 11, 2011 at 2:37 PM, Matthias Fuchs <mat69 at gmx.net> wrote:
> Am Freitag 11 März 2011, 20:27:20 schrieb Markus Slopianka:
>> Am Freitag 11 März 2011, 18:35:45 schrieb Matthias Fuchs:
>> > Hi,
>> >
>> > I just watched a video [1] on exploiting autrun/generating of
>> > thumbnails/... of data on usb sticks.
>> > Yes this is specific to Gnome, though I wonder if that could be a problem
>> > in KDE too, as is mentioned at the ending.
>> > E.g. I don't know if strigi starts indexing files automatically on
>> > mounted stuff.
>> >
>> > Yes physical access is always bad. But imagine you are at a place where
>> > many people are (and stealing the pc is no option). Just going to the
>> > toilet for a short moment -- with the screen locked -- could make your
>> > computer cracked.
>> >
>> > In general I think that nothing usb-stick/new hardware related should
>> > happen if the screen is locked. And if really a usb-stick is connected to
>> > the pc while locked, when a dialog should pop up -- which can only be
>> > accessed when unlocking -- asking for further actions.
>> > This way the risk is reduced and the user gets informed at the same time.
>> >
>> > Now where should this happen? Probably in solid, so that nothing being in
>> > general informed of new devices will be activated.
>> >
>> > [1] http://www.youtube.com/watch?v=ovfYBa1EHm4
>> I'm wondering if you took the time to actually try Plasma Desktop before
>> posting that mail.
>> By default no drive is mounted automatically. Device Notifier just notifies
>> that a new drive is present. Users have to click first (either in the
>> Plasma popup or Dolphin's side bar) to mount the drive. To get automatic
>> mounting, the user has to change settings first. Because of this the gives
>> attack case is of no concern.
>>
> In fact I have used plasma ...
> Might be that I changed the default and can't remember anymore.
>
> In this case as you pointed out this is most likely a non-issue KDE wise,
> unless the user changed it to auto mounting.
Even if the user changed the auto mounting settings, I think it still
makes sense to disable the auto-mounting when the computer is locked.
It seems to be a security issue, and having it instantly auto-mount
when the user unlocks the computer seems like it would work for most
use-cases.
Someone would need to be doing some pretty advanced scripting to need
to mount a drive while the computer is locked, and in that case they
can probably set it up to mount within the script. If I recall k3b
handles mounting itself, so so switching out discs during a multi-disc
burn operation should not be affected by this.
-Todd
More information about the kde-core-devel
mailing list