Hello

I would like to take some files from both a camera and usb stick that have been used on a windows laptop that had a virus/trojan(s). But I'm concerned that any nasties on those media will crawl over to my linux machine.

To add to this auto mount seems to mount everything as root which seems like a security hole to me. I understand that it's difficult to auto-run shell scripts or executables from usb media in linux. But it can be done.

What are the risks or how can I ensure safe browsing of the media?

Thanks

Mounting things as root is not a security hole. Root would be able to access the device anyway. Mounting it as root can prevent a normal user access if the "other" bit doesn't allow it.

As a precaution, always mount a fat32 or external drive with the "noexec" option. For flash devices, these are the permissions used by default for a fat32 pendrive: `rw,nosuid,nodev,noatime,flush,uid=1000,utf8,shortname=lower'. Add noexec to these options. Use `fmask=0117' to disable the 'x' bit for files as well.

Allowing automatic execution of scripts or programs for devices (flash or cd) is a stupid and dangerous idea, and it would be up to
you to configure your system to do it (such as dispatching a program to check and execute from a udev rule). Besides, I don't think there is a standard for doing this, so why bother. If your distro is so "user friendly" that it configures your system to do it by default, then get another distro. You do need to be careful however that you don't boot to this removable media.

Your larger concern may be files such as pdf's or jpeg's that are phoney and try to exploit known security flaws via buffer overflow. You already have some protection against that, but make sure that your system is updated with all security patches. It is doubtful that a file that infected a windows machine will be written to exploit both windows and Linux, and even if it would, to get code executing would be extremely difficult. It would have needed to drop one payload to run in windows and another to run in Linux.

You can run a virus scanner in Linux to detect windows viruses. Consider doing this from Knoppix. Running a knoppix live disk, you can download the latest virus definitions from the web. Then insert the device and run a scan. Don't copy infected files unless you are doing this for research.

Another option is to use a virtual machine to load these files in and examine them. Then delete or shred the VM image when your are finished.

um no - haven't configured my machine to auto-execute files from removeable media!

running debian etch btw. I presume that the means of controlling how media is mounted is through udev rules. So if I configure gnome-volume-manager to stop auto-mounting removable media I could plug in a usb drive without risk and examine logs for drive properties to produce a udev rule specifically/write entry into fstab including the flags you mention. Sort of typing out loud there.

mounting devices as root - was purely to make the point that if an auto-mounted executable could run itself then as it had root permissions it could do what it liked.

My understanding of windows file permissions is that there is no executable bit to set - again I guess mounted permissions depend on default or udev rule umask.

...off to unravel my udev rules

thanks for your comments - very useful

A file with root ownership is normal. Look at your /bin/ directory. What is dangerous is launching programs as root or setting the suid permission bit which would change the effective uid to the owner. In Linux, the suid bit has no effect for scripts.

Auto mounting usually use the user as the owner of a vfat or ntfs partition.

If you are going to examine a usb flash drive that you suspect has MS viruses on it, you could as an extra precaution stop the hald & dbusd daemons. The udev system depends on these services.

Also check if your system uses PolicyKit. The policies may be used to determine whether a local user can mount external devices.
Policykit works a little bit differently. For example, instead of changing the group owner of a device file, it uses setfacl to allow access to a regular user.

Changing allow active to "auth_admin_keep_always" would require root authorization to mount an external drive. You can use the polkit-auth program to dynamically grant or deny permissions to a session user.

You could also use ClamAV to check for virus. I'm pretty sure that Windows viruses won't carry over in almost all cases... Somebody can verify?

What you've already been told in the thread is accurate. Furthermore, windows viruses pose very little threat on linux unless you decide to execute them manually under wine and even then their impact is limited if they work at all.