undefined | Better HN

0 pointsunixreply556y ago0 comments

Yes; that is why it is recommended that untrustworthy drives be mounted with the `nosuid` flag.

0 comments

3 comments · 1 top-level

aasasd6y ago· 2 in thread

Ah, so even though filesystems don't go through files, they still can block the operation of suid. This suggests then that Veracrypt can simply enable the nosuid option when mounting a device.

cyphar6y ago

And they should also add nodev, to block a similar attack where you add a bunch of block devices with 777 permissions, in an attempt to make the block device "/" is mounted from be readable to a user and thus able to read (and write) any file on the host.

unixreply55OP6y ago

I didn't know of this attack, sounds interesting :) can you explain in a bit more detail how it would work?

1 more reply

j / k navigate · click thread line to collapse