>> >> I belive it is a security bug, non allowed user could use fuse. >> Do not raise priority because it will only allow a user to do something mad >> on his own account, and race windows is tiny. > > Except /dev/fuse already has the right permissions per udev rules, so > fusermount is actually useless for users not in the fuse group.
The problem is more subtle during installation fusermount is SUID, owned by root and executable by other. Therefore permission on /dev/fuse are not checked. After post inst run, fusermount will not be executable by other. But they exist a windows between copy and post inst rule when fusermount could be used by everybody. Bastien PS: BTW it is bug 502300 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
