Ralph Corderoy <email address hidden> writes:
> Nikolaus wrote:
>> > https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/225361/comments/11
>> > I understand this configuration of FUSE has been chosen because of
>> > security concerns, as opposed to using its allow_users or allow_root
>> > options.
>> This is not a valid concern. In Ubuntu, allow_root is by default
>> enabled in /etc/fuse.conf.
> In my untouched 8.04 /etc/fuse.conf, both mount_max and
> user_allow_other are commented out, meaning the file has no active
Hmm. I'm running 8.04 as well, and here it is enabled. I don't
remember changing it either. However, this is not a fresh install but
has been upgraded several times, so maybe the setting survived from an
>> So even if gvfs does not use --allow-root, a malicious user can simply
>> mount a filesystem of his choice manually and with --allow-root.
> It's my understanding that Ubuntu have set up automounting of user
> filesystems (non-FUSE ones) so a malicious user can have root mount
> their concocted filesystem anyway, so I'm not sure what the current
> troublesome, non-Unix, FUSE configuration is protecting us from?
Yes, I don't see any point in that either.
»It is not worth an intelligent man's time to be in the majority.
By definition, there are already enough people to do that.«
PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C