How secure is HAL?

Fri Dec 21 09:53:00 PST 2007

On Fri, 2007-12-21 at 14:51 +0100, Manuel Reimer wrote:
> Hello,
> 
> is a user or a program running with an unprivileged account able to get 
> root access by plugging in an USB memory device with an executable file 
> on it, which is owned by root and has the suid-bit set?

No. We always set the nodev,nosuid flags.

> Who exactly sets the mount options for HAL? Is an unprivileged binary 
> (like KDE) able to define which mount options are set?

Yes. And hal has a whitelist of safe options; see

http://gitweb.freedesktop.org/?p=hal.git;a=blob;h=9a0cbf56242cf58f3578fb4330ea047761008957;hb=bc52f26e5f10f52cf87266342b95cf6dbeaf85db;f=fdi/policy/10osvendor/20-storage-methods.fdi

that it accepts, e.g.

 volume.mount.valid_options = {'ro', 'sync', 'dirsync', 'noatime',
                               'nodiratime', 'noexec', 'quiet',
                               'remount', 'exec', 'utf8', 'shortname=',
                               'codepage=', 'iocharset=', 'umask=',
                               'dmask=', 'fmask=', 'uid=', 'flush'}

Please see the source for details.

> How does HAL prevent from suid-root binaries? It doesn't seem like the 
> "nosuid" mount option is used. 

Incorrect.

/dev/sdb1 on /media/EOS_DIGITAL type vfat (rw,nosuid,nodev,uhelper=hal,shortname=lower,uid=500)

Though of course any distro can apply any patch they want. Would be
helpful if you were more specific.

> Seems like HAL uses the "uid" option to 
> "give all the files to the mounting user". Is this right?

Only on file systems that support this (e.g. vfat). And it's not "HAL"
that uses it; it's the desktop mount program, e.g. gnome-mount or
whatever, that decides to do this. HAL is only a mechanism; it doesn't
really do anything by itself.

> At which place is this "uid" option generated and who sets the value for it?

See above.

     David