[lug] WAS: Version Control Device Special Files?...NOW: tar dev special file security
stimits at comcast.net
stimits at comcast.net
Mon Jan 6 15:48:31 MST 2014
An interesting point. I personally run a single file system for home and the rest, so I couldn't mount my home with nodev. I don't know a lot about SElinux, but it makes me wonder if perhaps mount POINTS should have a nodev option when SElinux is not around. So one could perhaps create a file like fstab which would be able to say "directories not on this list shall not allow device special files". Then again, if a user wants to untar a non-trustworthy file, you probably can't get around all human behavior.
...
> I mention this since many people forget that there are various attacks via special devices and tar will happily create them if you untar a malicious tarball. That's also why /home and removable media should be mounted 'nodev'....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20140106/429d3ee7/attachment.html>
More information about the LUG
mailing list