Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!pdn!palan!ckctpa!crash
From: crash@ckctpa.UUCP (Frank J. Edwards)
Newsgroups: comp.unix.amiga
Subject: Re: interesting feature on AMIX..
Keywords: unix security, amix security, setuid
Message-ID: <1991Jun21.201119.722@ckctpa.UUCP>
Date: 21 Jun 91 20:11:19 GMT
References: <13706@mentor.cc.purdue.edu> <1991Jun19.204906.19339@dvorak.amd.com> <426@hfsi.UUCP>
Organization: Edwards & Edwards Consulting
Lines: 43

In article <426@hfsi.UUCP> emcphers@manu.cs.vt.edu (Frank McPherson) writes:
>
>If you restrict the mounting to floppies on a specific subtree, it's not
>that much of a security hole.  For example, you could write a small 
>program which would be called by a student which would mount a floppy
>disk residing in the internal disk drive to /sony, or something similar.
>That is, in fact, what is done at Virginia Tech.  What we've got down 
>there is a computer lab with four or five 3000UXD's which get used by
>many students.  In order to avoid filling up the drives on the UXD's,
>we (the students) have to bring in a floppy which we use as our own
>personal travelling file system.  It works out pretty well in the end.

You could have other problems "in the end!" ;-)

Suppose I make a floppy on my machine and put a copy of ksh on it.  Then
I make that ksh set-uid to root and mount it on your system.  I execute
that ksh and viola! I get the "#" prompt...

>- Frank McPherson     INTERNET: emcphers@manu.cs.vt.edu -

Actually, the solution presented by Steve Warren is much sturdier:  the
same script would search the inodes looking for set-uid programs.  If
any were found, the disk would not be mounted.

The "ncheck" command has an option, -s, which looks for set-uid files on
the given media.  It does not limit the output to any particular user ID,
however.

    ***  WARNING WILL ROBINSON  ***

    NOTE:  you can't mount the disk and run find!!  Once you mount it,
    the user could access his set-uid program before the find command located
    the problem.  Especially easy to do if you know that find looks through
    directory blocks sequentially...

Anyway, maybe I'll write a script for this, but don't hold your breath ;-)

Good luck.
-- 
Frank J. Edwards		|  "I did make up my own mind -- there
2677 Arjay Court		|   simply WASN'T ANY OTHER choice!"
Palm Harbor, FL  34684-4504	|		-- Me
Phone (813) 786-3675 (voice)	|    Only Amiga Makes It Possible...