On Sat, Jan 27 2018, "who one" <whoonetets@mail.com> wrote:
> Hello,
>
> afaik if I would remove the lines that contains "FUSE" and "fuse" from /sys/conf/GENERIC and re-compile the kernel, that would mean, there will be no more FUSE support in my kernel after reboot.
>
> If so, would this step help to make my system more secure? Ex.: from a future FUSE related security issue?
Not really. Right now you need to be root to mount a filesystem,
this includes fuse filesystems*. This restriction would make it hard for
a rogue unprivileged user to exploit bugs in fuse kernel code.
Previously, a sysctl setting was available to allow user mounts
(including fuse mounts), but this setting has been removed. You also
needed to be root to set that flag.
> just asking theoretically, since I don't use FUSE related stuff, so thinking of that is unneeded.
>
> or it would just create an unsupported kernel which didn't had any tests regarding the missing fuse and maybe cause bigger issues and security issues vs. if I wouldn't touched it?
Different means unsupported. ;)
* this is not very convenient. Also I don't know if our implementation
is affected, but running a fuse filesystem with the allow_other option
could bring security issues... See
https://www.cs.nmsu.edu/~pfeiffer/fuse-tutorial/html/security.html
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
No comments:
Post a Comment