Page MenuHomePhabricator
Create Task
Maniphest T100004

Remove ntfs3g/fuse, review needlessly installed packages
Closed, ResolvedPublic
Actions

Description

Yesterday a local root exploit for fuse was published. The updates are all deployed by now, but this deserves a more structured followup:

The only reason fuse is installed on almost 1000 servers is because ntfs-3g depends on it. ntfs-3g in turn is only installed because it is a Recommends: of ubuntu-standard (and since we install all Recommends by default, it gets installed everywhere.

I plan to

  • get rid of ntfs-3g/fuse on existing servers (after checking with individual "service owners" whether they might have an exotic use case for NTFS partitions, I cannot imagine one, though)
  • patch ubuntu-standard for trusty-wikimedia and precise-wikimedia to drop the Recommends:
  • review whether there are similar security-sensitive packages which are likely unneeded, but get pulled in via unexpected Depends/Recommends

Event Timeline

MoritzMuehlenhoff created this task.May 22 2015, 7:35 AM
MoritzMuehlenhoff claimed this task.
MoritzMuehlenhoff raised the priority of this task from to Needs Triage.
MoritzMuehlenhoff updated the task description. (Show Details)
MoritzMuehlenhoff added a project: acl*sre-team.
MoritzMuehlenhoff subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 22 2015, 7:35 AM
MoritzMuehlenhoff triaged this task as Medium priority.May 22 2015, 7:36 AM
MoritzMuehlenhoff set Security to None.
MoritzMuehlenhoff closed this task as Resolved.Jun 5 2015, 2:10 PM

ntfs-3g and fuse have been removed from all hosts except analytics* and stat1002 (which require fuse for hadoopfs mounts)

The meta packages have been fixed to no longer recommend ntfs-3g so that fuse doesn't get installed when systems are upgraded or re-imaged:
ubuntu-meta-1.267.1+wmf1 for precise-wikimedia
ubuntu-meta-1.325+wmf1 for trusty-wikimedia

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits