On Fri, Jan 02, 2009 at 09:37:12PM +0100, Bastien ROUCARIES wrote: > tags 398254 + security > tags 398254 + patch > thanks > > >The postinst of fuse-utils creates the group fuse and sets the > >permissions of fusermount to root:fuse 4754. Before that happens, > >fusermount has the permissions specified in the deb, namely root:root > >4755. Thus, during the installation of fuse, any user can mount a > >FUSE filesystem without needing membership in group fuse. > > I belive it is a security bug, non allowed user could use fuse. > Do not raise priority because it will only allow a user to do something mad > on his own account, and race windows is tiny.
Except /dev/fuse already has the right permissions per udev rules, so fusermount is actually useless for users not in the fuse group. Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
