Comment 8 for bug 885027

Dan Rosenberg (dan-j-rosenberg) wrote :

"You mean that a program designed to let an unprivileged user
mount/unmount/eject anything he wants has a security flaw because it allows
him to mount/unmount/eject anything he wants? I'm shocked."

Unfortunately, sarcasm does not make you right. Yes, this is a critical security flaw, because anyone with calibre installed on their system now allows any user to gain root privileges by mounting on top of important directories. Just because your application allows this by design rather than by mistake doesn't make this less of a problem.

As for the other flaws identified, they represent violations of DAC (Discretionary Access Control). Essentially, if you can't design your setuid program in a way that does not grant additional unintended capabilities to unprivileged users (besides a carefully stated intended capability like "mount/umount/eject USB devices", then you shouldn't be using a setuid application.

There are already ways to safely achieve what you're trying to do without introducing security vulnerabilities. Ubuntu implements automatic mounting of USB media using udisks in conjunction with gvfs-gdu-volume-monitor. If this isn't an option, the "pmount" application allows users to safely mount and unmount removable media without introducing (obvious) security holes.