On Sat, Jan 27 2018, "who one" <whoonet...@mail.com> wrote: > Hello, > > afaik if I would remove the lines that contains "FUSE" and "fuse" from > /sys/conf/GENERIC and re-compile the kernel, that would mean, there will be > no more FUSE support in my kernel after reboot. > > If so, would this step help to make my system more secure? Ex.: from a future > FUSE related security issue?
Not really. Right now you need to be root to mount a filesystem, this includes fuse filesystems*. This restriction would make it hard for a rogue unprivileged user to exploit bugs in fuse kernel code. Previously, a sysctl setting was available to allow user mounts (including fuse mounts), but this setting has been removed. You also needed to be root to set that flag. > just asking theoretically, since I don't use FUSE related stuff, so thinking > of that is unneeded. > > or it would just create an unsupported kernel which didn't had any tests > regarding the missing fuse and maybe cause bigger issues and security issues > vs. if I wouldn't touched it? Different means unsupported. ;) * this is not very convenient. Also I don't know if our implementation is affected, but running a fuse filesystem with the allow_other option could bring security issues... See https://www.cs.nmsu.edu/~pfeiffer/fuse-tutorial/html/security.html -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
