Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!hfsi!frank From: frank@hfsi.UUCP (Frank McPherson) Newsgroups: comp.unix.amiga Subject: Re: interesting feature on AMIX.. Keywords: unix security, amix security, setuid Message-ID: <433@hfsi.UUCP> Date: 24 Jun 91 15:08:28 GMT References: <13706@mentor.cc.purdue.edu> <1991Jun19.204906.19339@dvorak.amd.com> <426@hfsi.UUCP> <1991Jun21.201119.722@ckctpa.UUCP> <431@hfsi.UUCP> Reply-To: emcphers@manu.cs.vt.edu (Frank McPherson) Organization: HFS Inc., McLean VA. Lines: 22 In article avalon@coombs.anu.edu.au (Darren Reed) writes: >it is a bit of security problem, the Amiga3000UX should come with an >entry for /dev/dsk/fd0 in one of the files in /etc (maybe fstab but >commented out) to make it easier for novices to mount the floppy >drive (not as easy as if sounds for a novice!) and to have it mount >with the correct options - it is possible to mount a device under unix >and have it IGNORE setuid bits - its just that most devices are mounted >"setall". The default is "setall" i believe, so that if you mount a >floopy without disabling setuid programs people can quite easily create >setuid programs on floppy disks and execute them on your 3000. It's currently easy for novices to mount the floppy drives; what I'm unsure about now is the setuid thing. It's news to me that you can mount it to ignore the file mode bits; maybe I need to get friendly with the manuals for an evening to try to figure this one out. It's currently getting looked at much more closely than I ever have, so things keep popping up which I hadn't really considered. I wonder if the people who set up the lab systems for my school considered them? At any rate, I'll go home and try to check the options used with the mount command currently in place. -- Frank McPherson INTERNET: emcphers@manu.cs.vt.edu --