How to disable autorun? Are there any hidden autorun features on a standard Fedora install??
http://securitytube.net/USB-Autorun-attacks-against-Linux-at-Shmoocon-2011-v...
On 02/07/2011 12:21 PM, kellyremo wrote:
How to disable autorun? Are there any hidden autorun features on a standard Fedora install??
http://securitytube.net/USB-Autorun-attacks-against-Linux-at-Shmoocon-2011-v...
Open any Nautilus window (e.g., PLACES -> COMPUTER) and then EDIT->PREFERENCES. Autorun is controlled on the MEDIA tab. Check "Never prompt or start programs on media insertion" or use the controls above to do a bit more fine tuning.
Steven Stern writes:
On 02/07/2011 12:21 PM, kellyremo wrote:
How to disable autorun? Are there any hidden autorun features on a standard Fedora install??
http://securitytube.net/USB-Autorun-attacks-against-Linux-at-Shmoocon-2011-v...
Open any Nautilus window (e.g., PLACES -> COMPUTER) and then EDIT->PREFERENCES. Autorun is controlled on the MEDIA tab. Check "Never prompt or start programs on media insertion" or use the controls above to do a bit more fine tuning.
... and, as you can see, the "Autorun" feature, in Linux, is really nothing more than starting an application that's already installed on the system, when a specific kind of media gets inserted.
This is way, way different than automatically running software from the inserted media when you pop it in. Not even in the same league, in terms of a security issue.
And, furthermore, that article really talks about things like using inserted media to exploit existing bugs in system software. So, for example, if, theoretically, there's an exploitable bug in the jpeg library, and autorun is set to open a folder when media is inserted, then, theoretically, a carefully crafted jpeg file on the inserted media would make you vulnerable to getting automatically p0wned if the autorun automatically pops up a nautilus folder, which attempts to generate a thumbnail for the jpeg file, and exploiting the jpeg library vulnerability.
Were that even so, this would not be an autorun exploit, but rather the jpeg library exploit, in the first place.
So, there is no issue with the "autorun" feature, as implemented in Nautilus/Gnome.
On Mon, 2011-02-07 at 10:21 -0800, kellyremo wrote:
How to disable autorun? Are there any hidden autorun features on a standard Fedora install?? http://securitytube.net/USB-Autorun-attacks-against-Linux-at-Shmoocon-2011-v...
FUD: "Lots of code executes when a new mass storage device is connected"
Fact: Lots of code executes when a new mass storage device is connected, before, after and even when the device is not connected. And no file from a USB is executed by a kernel or root process. Not even any owned by a user process -although explicitly programmed-.
Some drivers are executed, of course. That's equivalent to say that some kernel processes are executed when a USB is plugged. Executing kernel code is completely different from automatically running an executable file located on the USB -which precisely windows autorun does-.
Now, any vulnerable or buggy kernel code has nothing to do with autorun. That's like comparing midgets and oranges.
:) ---------------------------------------------- Rodolfo Alcazar Portillo - nospaze@gmail.com otbits.blogspot.com / counter.li.org: #367962 ---------------------------------------------- "Der Computer hilft uns, Probleme zu lösen, die wir ohne ihn gar nicht hätten." - Unbekannter Autor
Way back on Fedora 9, my Nautilus preferences has an option for when "software" media is inserted to "open auto-run prompt". Since I don't have anything to test it, and it doesn't appear to be documented in the Gnome help. What does it actually do?
On 02/09/2011 02:26 AM, Tim wrote:
Way back on Fedora 9, my Nautilus preferences has an option for when "software" media is inserted to "open auto-run prompt". Since I don't have anything to test it, and it doesn't appear to be documented in the Gnome help. What does it actually do?
Prompt on whether you want to automatically run something in the media after checking for the presence of the appropriate file
Rahul
Tim:
Way back on Fedora 9, my Nautilus preferences has an option for when "software" media is inserted to "open auto-run prompt". Since I don't have anything to test it, and it doesn't appear to be documented in the Gnome help. What does it actually do?
Rahul Sundaram:
Prompt on whether you want to automatically run something in the media after checking for the presence of the appropriate file
I gathered that, I meant more specifically what does it do. Does it look for a file using a certain file name on the disc, and what name?
On 02/09/2011 06:47 PM, Tim wrote:
Tim:
...
I gathered that, I meant more specifically what does it do. Does it look for a file using a certain file name on the disc, and what name?
http://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.h...