Announcement

Collapse
No announcement yet.

OpenSUSE Looking At Blacklisting Legacy & Less Secure File-Systems

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • OpenSUSE Looking At Blacklisting Legacy & Less Secure File-Systems

    Phoronix: OpenSUSE Looking At Blacklisting Legacy & Less Secure File-Systems

    Following a move by SUSE blacklisting legacy / less-used file-systems in SUSE Linux Enterprise, OpenSUSE is looking at doing the same to blacklist the kernel modules for a number of esoteric file-systems as well as the likes of JFS and F2FS...

    http://www.phoronix.com/scan.php?pag...E-FS-Blacklist

  • #2
    This is one of the worst ideas I've seen in a while. OpenSUSE has an installer, and it can limit which file systems people can create in it. That's a perfectly sane choice (with exclusion of F2FS, which should be considered a standard, I've used it for a while and it's been perfectly solid).

    My problem is that blacklists of kernel modules will cause trouble for people who want to mount file systems on the list. This is intentional limiting of compatibility, and people might want to move data off such file systems somewhere else, and having them either disable the blacklist or use another machine or operating system to move files around is just silly.

    Comment


    • #3
      Originally posted by DoMiNeLa10 View Post
      This is one of the worst ideas I've seen in a while. OpenSUSE has an installer, and it can limit which file systems people can create in it. That's a perfectly sane choice (with exclusion of F2FS, which should be considered a standard, I've used it for a while and it's been perfectly solid).

      My problem is that blacklists of kernel modules will cause trouble for people who want to mount file systems on the list. This is intentional limiting of compatibility, and people might want to move data off such file systems somewhere else, and having them either disable the blacklist or use another machine or operating system to move files around is just silly.
      Consider the following scenarios

      - network attached block devices
      - loopback filesystems (eg. Containers)
      - auto mounted USB sticks

      all of the filesystems the SUSE Kernel developers are suggesting are blacklisted can cause serious system security or denial of service issues.

      do you really want to be running an operating system that can be broken by someone walking around with a USB stick?

      I don’t. But that means ensuring the kernel can’t mount such filesystems without manual intervention.

      blacklisting the dangerous filesystems is the sensible way to mitigate the risks that supporting those filesystems brings

      Comment


      • #4
        Originally posted by sysrich View Post
        do you really want to be running an operating system that can be broken by someone walking around with a USB stick?
        If someone has psychical access to your device, you're screwed. No amount of software-level protection can save you. Not mounting random file systems is security 101, and babysitting people makes things worse for everyone. Blacklisting these modules puts OpenSUSE at an disadvantage, as pretty much every other distro will end up being more compatible.

        Comment


        • #5
          Why are these considered dangerous ? I have ran jfs for years with no issues. It is still the fastest fs for synchronous writes on a rotating drive.

          They should stop auto mounting crap instead of blacklisting some useful filesystems. Just let one wonder if there is an agenda...

          The people who are going to waste hours because of this should sue them for the lost productivity ...

          "Linux" is loosing a lot of what made it attractive. We should all start using things like Alpine that is still pure.

          Let the big distro's go to hell with their corporate BS.

          Better yet: Someone please write us a new OS
          Last edited by Raka555; 02-09-2019, 09:42 AM.

          Comment


          • #6
            Originally posted by Raka555 View Post
            Why are these considered dangerous ? I have ran jfs for years with no issues. It is still the fastest fs for synchronous writes on a rotating drive.
            https://sourceforge.net/p/jfs/mailman/jfs-discussion/thread/[email protected]/

            i believe the concerns raised in this thread still hold true today, and the recent jfs CVEs probably raised the impact of having an unmaintained filesystem readily activated on everyone’s machines

            see https://lists.opensuse.org/opensuse-.../msg00615.html for more

            They should stop auto mounting crap instead of blacklisting some useful filesystems. Just let one wonder if there is an agenda...
            sure, and if we disable auto mounting there is still the fact users can mount stuff, should we block that also, for every filesystem?

            See: https://lists.opensuse.org/opensuse-factory/2019-01/msg00625.html

            The people who are going to waste hours because of this should sue them for the lost productivity ...
            you want to sue a non profit, volunteer driven community distribution that takes no money from its users?
            a community which is open to keeping the filesystems if other people support them now the current ones don’t wish to https://lists.opensuse.org/opensuse-.../msg00185.html

            good luck with that. Who should we make the cheque out to, the Entitled Users of Phoronix Foundation?

            Comment


            • #7
              Originally posted by Raka555 View Post
              Better yet: Someone please write us a new OS
              As far as not Linux solutions, I'm waiting on a combination of AMDGPU on BSD to mature a bit more and BSD's Linux subsystem to be good enough for Wine and Linux Steam (should clarify -- the driver for wine, the subsystem for Steam). Outside of games, BSD does everything I need. I know damn well BSD is perfectly capable of gaming -- the PS4 runs BSD with an AMD GPU.

              The alternative is to use distributions like Gentoo where you can blacklist and allow what you want as necessary. Since I don't see the BSD stuff happening anytime soon, Linux from source it'll end up being. If I'd quit getting distracted, I'd already be on Gentoo. I was going to do it last month, but when I had the free time I was too close to my monthly bandwidth limit to risk downloading all those sources.

              Yeah, my cable internet has bandwidth caps. They were implemented the very month NN was repealed....and they raised rates that month too....it sucks paying more for less internet and having games like RDR2 take 10% to 15% of the monthly allotment just to download....

              Comment


              • #8
                Originally posted by DoMiNeLa10 View Post
                My problem is that blacklists of kernel modules will cause trouble for people who want to mount file systems on the list. This is intentional limiting of compatibility, and people might want to move data off such file systems somewhere else, and having them either disable the blacklist or use another machine or operating system to move files around is just silly.
                This blacklisting happens by adding them to a text file called /etc/modprobe.d/50-blacklist.conf
                that also currently contains a long list of other random trash drivers they don't want to enable by default.

                If someone REALLY needs that specific filesystem enabled can just go and edit this file as root.

                EDIT: you should also rebuild the initramfs so if that module has to be included in the early boot image it will be, with sudo mkinitrd
                Last edited by starshipeleven; 02-09-2019, 10:57 AM.

                Comment


                • #9
                  Originally posted by DoMiNeLa10 View Post
                  This is one of the worst ideas I've seen in a while. OpenSUSE has an installer, and it can limit which file systems people can create in it. That's a perfectly sane choice (with exclusion of F2FS, which should be considered a standard, I've used it for a while and it's been perfectly solid).
                  The issue is not stability but security.

                  I'd also like to add that f2fs is an ongoing shitshow on OpenWrt, breaking left and right on archs that are not x86, although this does not matter for OpenSUSE specifically of course.

                  Comment


                  • #10
                    Originally posted by sysrich View Post
                    you want to sue a non profit, volunteer driven community distribution that takes no money from its users?
                    This choice mimics SUSE's, so maybe he wants to sue SUSE's company.

                    Still good luck with that.

                    Comment

                    Working...
                    X