desktop-packages team mailing list archive

Thread
Date

[Bug 882862] Re: Guest account can read/write in /media/

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Martin Pitt <martin.pitt@xxxxxxxxxx>
Date: Tue, 01 Nov 2011 18:52:19 -0000
Reply-to: Bug 882862 <882862@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Originally we deliberately allowed that so that guest users can use an
USB stick to do things like like editing documents there or keeping
their firefox config. See the profile:

  /media/** rmwlixk,  # we want access to USB sticks and the like

However, this should certainly be limited to the guest user's own
devices. We already shield users from each other by mounting VFAT
devices with dmask=0077, and ext4 devices have their own ACLs anyway.

That of course breaks down if you have custom /etc/fstab rules which
allow anyone to write there. I think we can tighten this up with

  owner /media/** rmwlixk,

This would break desired access to e. g. ext4 external hard disks, but
that might be a smaller use case.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/882862

Title:
  Guest account can read/write in /media/

Status in “lightdm” package in Ubuntu:
  Fix Committed

Bug description:
  The guest account can everything under /media/.
  Is the guest account really supposed to be able to access and read all the files on the host computer?

  If yes, then is the guest account really really supposed to be able to write to /media/ ?
  Shouldn't the guest be limited to his temporary home in /tmp/ ?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/882862/+subscriptions