Manjaro 18: my first install, "Administrator" extremely unsafe by default

I switched a few machines around to Manjaro after Ubuntu seems to be no desktop distro anymore (another story). Today while working on my new Manjaro box I found to my astonishment that a default setup with "Administrator" user is extremely unsafe. I found that I can write a SD card without being asked for password and indeed the installer setup my user to be in group "disk". So when I'm not mistaken any flash ad which overruns my browser can directly patch the Linux kernel, as it has full access to my disks. This is basically the same security level I had with Windows XP.

[fme@silver ~]$ ls -la /dev|grep disk
drwxr-xr-x   6 root root        120 30. Jun 04:43 disk
crw-rw----   1 root disk    10, 237 30. Jun 04:43 loop-control
brw-rw----   1 root disk     8,   0 30. Jun 04:43 sda
brw-rw----   1 root disk     8,   1 30. Jun 04:43 sda1
brw-rw----   1 root disk     8,   2 30. Jun 04:43 sda2
brw-rw----   1 root disk     8,  16 30. Jun 04:43 sdb
brw-rw----   1 root disk     8,  17 30. Jun 04:43 sdb1

So I removed myself from the "disk" group before launching firefox and writing this rant.
Is this just me running on the Manjaro beta, or is this the default setup for an "Administrator" user?

BTW: I'm now a full week on Manjaro and this is the only annoyance I stumbled upon. Manjaro just rocks.

This just sounds like another security issue and it still needs to bypass the sandbox. Besides if they get past the sandbox it would be another more serious security issue.

Highly doubt it, different architecture altogether.

This was covered here too

4 Likes

Well, default groups are defined here:

Upstream we recommend these:

1 Like

Yes sure, modern firefox is designed more securely than that old msie back on XP. It even has an autoupdate and is so secure any Linux runs exactly the same binary! The rest your argument I cannot comprehend. I actually overwritten bytes of a linux kernel on the sd card and could have done equally for the my root partition I boot my laptop from. When I can access the block devices directly I do not need to care about file system permissions.

Thanks, for pointing out.

The issue is fixed within manjaro-tools v0.15.8. The next ISO builds will adopt these changes.

5 Likes

Thanks!

Forget what I said it's wrong, was thinking of the storage group at the time. I've removed the incorrect stuff.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by