LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-28-2009, 08:52 AM   #1
leighz
LQ Newbie
 
Registered: Feb 2009
Posts: 2

Rep: Reputation: 0
USB security - transferring files from infected windows machine to Linux box


Hello

I would like to take some files from both a camera and usb stick that have been used on a windows laptop that had a virus/trojan(s). But I'm concerned that any nasties on those media will crawl over to my linux machine.

To add to this auto mount seems to mount everything as root which seems like a security hole to me. I understand that it's difficult to auto-run shell scripts or executables from usb media in linux. But it can be done.

What are the risks or how can I ensure safe browsing of the media?

Thanks
 
Old 02-28-2009, 09:21 AM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Mounting things as root is not a security hole. Root would be able to access the device anyway. Mounting it as root can prevent a normal user access if the "other" bit doesn't allow it.

As a precaution, always mount a fat32 or external drive with the "noexec" option. For flash devices, these are the permissions used by default for a fat32 pendrive: `rw,nosuid,nodev,noatime,flush,uid=1000,utf8,shortname=lower'. Add noexec to these options. Use `fmask=0117' to disable the 'x' bit for files as well.

Allowing automatic execution of scripts or programs for devices (flash or cd) is a stupid and dangerous idea, and it would be up to
you to configure your system to do it (such as dispatching a program to check and execute from a udev rule). Besides, I don't think there is a standard for doing this, so why bother. If your distro is so "user friendly" that it configures your system to do it by default, then get another distro. You do need to be careful however that you don't boot to this removable media.

Your larger concern may be files such as pdf's or jpeg's that are phoney and try to exploit known security flaws via buffer overflow. You already have some protection against that, but make sure that your system is updated with all security patches. It is doubtful that a file that infected a windows machine will be written to exploit both windows and Linux, and even if it would, to get code executing would be extremely difficult. It would have needed to drop one payload to run in windows and another to run in Linux.

You can run a virus scanner in Linux to detect windows viruses. Consider doing this from Knoppix. Running a knoppix live disk, you can download the latest virus definitions from the web. Then insert the device and run a scan. Don't copy infected files unless you are doing this for research.

Another option is to use a virtual machine to load these files in and examine them. Then delete or shred the VM image when your are finished.
 
Old 02-28-2009, 11:26 AM   #3
leighz
LQ Newbie
 
Registered: Feb 2009
Posts: 2

Original Poster
Rep: Reputation: 0
um no - haven't configured my machine to auto-execute files from removeable media!

running debian etch btw. I presume that the means of controlling how media is mounted is through udev rules. So if I configure gnome-volume-manager to stop auto-mounting removable media I could plug in a usb drive without risk and examine logs for drive properties to produce a udev rule specifically/write entry into fstab including the flags you mention. Sort of typing out loud there.

mounting devices as root - was purely to make the point that if an auto-mounted executable could run itself then as it had root permissions it could do what it liked.

My understanding of windows file permissions is that there is no executable bit to set - again I guess mounted permissions depend on default or udev rule umask.

...off to unravel my udev rules

thanks for your comments - very useful

Last edited by leighz; 02-28-2009 at 11:28 AM.
 
Old 03-02-2009, 06:12 AM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
A file with root ownership is normal. Look at your /bin/ directory. What is dangerous is launching programs as root or setting the suid permission bit which would change the effective uid to the owner. In Linux, the suid bit has no effect for scripts.

Auto mounting usually use the user as the owner of a vfat or ntfs partition.

If you are going to examine a usb flash drive that you suspect has MS viruses on it, you could as an extra precaution stop the hald & dbusd daemons. The udev system depends on these services.

Also check if your system uses PolicyKit. The policies may be used to determine whether a local user can mount external devices.
Policykit works a little bit differently. For example, instead of changing the group owner of a device file, it uses setfacl to allow access to a regular user.

Code:
<!--
Policy definitions for HAL's drives/media mechanims.

Copyright (c) 2007 David Zeuthen <david@fubar.dk>

HAL is licensed to you under your choice of the the Academic Free
License Version 2.1, or the GNU General Public License version 2. Some
individual source files may be under the GPL only. See COPYING for    
details.                                                              
-->                                                                   

<policyconfig>

...

  <action id="org.freedesktop.hal.storage.mount-removable">
    <description>Mount file systems from removable drives.</description>
    <message>System policy prevents mounting removable media</message>
    <defaults>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>

...

</policyconfig>
Changing allow active to "auth_admin_keep_always" would require root authorization to mount an external drive. You can use the polkit-auth program to dynamically grant or deny permissions to a session user.
 
Old 03-04-2009, 04:37 PM   #5
wsduvall
Member
 
Registered: Aug 2006
Posts: 92

Rep: Reputation: 16
You could also use ClamAV to check for virus. I'm pretty sure that Windows viruses won't carry over in almost all cases... Somebody can verify?
 
Old 03-05-2009, 09:11 AM   #6
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Quote:
Originally Posted by leighz View Post
Hello

I would like to take some files from both a camera and usb stick that have been used on a windows laptop that had a virus/trojan(s). But I'm concerned that any nasties on those media will crawl over to my linux machine.

To add to this auto mount seems to mount everything as root which seems like a security hole to me. I understand that it's difficult to auto-run shell scripts or executables from usb media in linux. But it can be done.

What are the risks or how can I ensure safe browsing of the media?

Thanks
What you've already been told in the thread is accurate. Furthermore, windows viruses pose very little threat on linux unless you decide to execute them manually under wine and even then their impact is limited if they work at all.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Trouble transferring files from a Windows box to a UNIX box. BreakTheWindows2008 Linux - Software 4 08-15-2008 09:10 PM
Transferring files from Linux onto Windows paragkalra Linux - Networking 1 08-08-2008 03:56 AM
How to transferring files from linux machine to linux machine and windows Dinimani Debian 3 05-12-2008 05:50 AM
I canít transfer files from my Windows machine to my Linux box. kingkongadp64 Suse/Novell 10 11-04-2005 12:16 PM


All times are GMT -5. The time now is 06:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration