Package: policykit-1 Version: 0.105-14.1 Severity: grave Tags: security
Hi. Apparently polkit (or at least I guess it's ultimately the offender here, if not please reassign accordingly) allows ordinary users to mount any filesystem per default. E.g. such connected via USB, or set up via losetup. At least that works so e.g. via nautilus,.. wich disturbingly seem to do that even automatically though nothing from that attached device/fs was accessed... o.O Since such filesystems may have totally different user/group owners or even none and be world wrtiable (e.g. with *FAT filesystems) and since they may contain any sensitve data frm keys to secret source code, etc., this is a grave security breach. May not matter that much on a notebook or tablet, but one should hope that even nowadays Debian isn't just made for those people,.. and there are perhaps still some other systems out there were devices with such filesystems are connected and where uses have direct and/or remote accesses, but where they should not be able to mount any fs. Since it has been the long standing behaviour of UNIX/Linux ever, that normal users cannot mountfilesystems unless explicitly allowed, please revert to that behaviour. Cheers, Chris.
