[Bug 1821250] Re: Drop setuid bit from /bin/ntfs-3g
Ćukasz Zemczak
1821250 at bugs.launchpad.net
Thu Apr 11 07:39:51 UTC 2019
Hey Chris! Do you need any action performed on this package? Or will you
copy it over soon?
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ntfs-3g in Ubuntu.
https://bugs.launchpad.net/bugs/1821250
Title:
Drop setuid bit from /bin/ntfs-3g
Status in ntfs-3g package in Ubuntu:
Fix Released
Status in ntfs-3g source package in Xenial:
New
Status in ntfs-3g source package in Bionic:
New
Status in ntfs-3g source package in Cosmic:
New
Bug description:
/bin/ntfs-3g has been installed as setuid-root since xenial, but this
is discouraged upstream (see https://www.tuxera.com/community/ntfs-3g-
faq/#useroption) and recently contributed to CVE-2019-9755
(https://usn.ubuntu.com/3914-1/). As a hardening improvement, this
should not be setuid.
[ Test case ]
Upgrade ntfs-3g and then mount, use and unmount your NTFS volumes as usual.
[ Regression potential ]
This does break one use-case - unprivileged users will not be able to mount NTFS image files. Based on discussions offline, we think this is an edge case and consider it to be an acceptable trade-off. As far as I'm aware, there are no other use-cases that are broken by this change. It doesn't affect automounting of removable volumes or mounting of NTFS block devices (which unprivileged users can't mount anyway). Administrators that want to allow unprivileged users to mount NTFS image files can change the permissions of /bin/ntfs-3g using dpkg-statoverride.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntfs-3g/+bug/1821250/+subscriptions
More information about the foundations-bugs
mailing list