I just noticed a strange loop device that was added to my machine today.
It is mounted under /run/media/<user>/CENA_X86FREE_EN-US_DV9
and seems to contain Windows files, probably a Windows installer with a bit more than 4.1GB used space (directories boot, efi, files bootmgr etc).
It seems to correspond to /dev/loop1
(3.8 GiB), an fdisk entry I saw for the first time.
The files are all dated back to November 2020. I am highly confused where this is coming from, given that I am on a Linux system and usually not using Windows data.
When checking mount
I also see entries that seem to relate to the ttf-ms-win10-auto
AUR package I had been trying to install earlier (but failed with error):
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=1633076k,nr_inodes=408269,mode=700,uid=1000,gid=1000,inode64)
gvfsd-fuse on /run/user/1000/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
httpfs2 on /home/<user>/.cache/yay/ttf-ms-win10-auto/src/mnt/http type fuse.httpfs2 (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
/dev/loop1 on /run/media/<user>/CENA_X86FREE_EN-US_DV9 type udf (ro,nosuid,nodev,relatime,uid=1000,gid=1000,iocharset=utf8,uhelper=udisks2)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
I am not sure about the other mount entries, but do recognize httpfs2
to be also related with the MS core fonts package.
Reading the comments below the package details in AUR, I do understand that the loop device was added during failed installation of the package and now seems to have been mounted for several hours.
The download did not appear to be as fast as to contain 4GB and from the comments in the package details I would have expected around 200MB.
Does this mean, that the loop device was added similar to sshfs
and the files are remote? (this is how I would understand the httpfs2 entry)
What security implications do loop devices, especially when they were added by an unknown package, have; also in comparison to 'regular' package installation that do not use loop devices?