0

I just noticed a strange loop device that was added to my machine today.

It is mounted under /run/media/<user>/CENA_X86FREE_EN-US_DV9 and seems to contain Windows files, probably a Windows installer with a bit more than 4.1GB used space (directories boot, efi, files bootmgr etc). It seems to correspond to /dev/loop1 (3.8 GiB), an fdisk entry I saw for the first time.

The files are all dated back to November 2020. I am highly confused where this is coming from, given that I am on a Linux system and usually not using Windows data.

When checking mount I also see entries that seem to relate to the ttf-ms-win10-auto AUR package I had been trying to install earlier (but failed with error):

binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)                            
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=1633076k,nr_inodes=408269,mode=700,uid=1000,gid=1000,inode64)
gvfsd-fuse on /run/user/1000/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
httpfs2 on /home/<user>/.cache/yay/ttf-ms-win10-auto/src/mnt/http type fuse.httpfs2 (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
/dev/loop1 on /run/media/<user>/CENA_X86FREE_EN-US_DV9 type udf (ro,nosuid,nodev,relatime,uid=1000,gid=1000,iocharset=utf8,uhelper=udisks2)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)

I am not sure about the other mount entries, but do recognize httpfs2 to be also related with the MS core fonts package.

Reading the comments below the package details in AUR, I do understand that the loop device was added during failed installation of the package and now seems to have been mounted for several hours.

The download did not appear to be as fast as to contain 4GB and from the comments in the package details I would have expected around 200MB. Does this mean, that the loop device was added similar to sshfs and the files are remote? (this is how I would understand the httpfs2 entry)

What security implications do loop devices, especially when they were added by an unknown package, have; also in comparison to 'regular' package installation that do not use loop devices?

kaiya
  • 422
  • 1
  • 3
  • 11

1 Answers1

1

From your logs :

/dev/loop1 on /run/media/<user>/CENA_X86FREE_EN-US_DV9 type udf

UDF is a format for ISO images of DVDs. The size of DVDs is 4 GB, which is what you describe. However, the image might be only 200 MB full. Mounting disk images as loop devices is the standard way to open them in Linux.

You ran a script from AUR, which downloaded a 200 MB disk image made for windows, and mounted it to access its content. Then it most likely tried to do some thing with some of its content, like copying TTF fonts to your system, and failed for some reason. Then it did not clean up afterwards, because it was crashed. So you are left with a unused mounted disk image.

This is not a security issue.

Cleanup your AUR cache and reboot your computer, and you should be fine.

The Archlinux community strongly advises to read the AUR scripts before running them. Please do so, because they could be malicious. If you do not understand those script, you should not execute them for your own safety.

kaiya
  • 422
  • 1
  • 3
  • 11
A. Hersean
  • 10,046
  • 3
  • 28
  • 42