Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!hfsi!frank
From: frank@hfsi.UUCP (Frank McPherson)
Newsgroups: comp.unix.amiga
Subject: Re: interesting feature on AMIX..
Keywords: unix security, amix security, setuid
Message-ID: <436@hfsi.UUCP>
Date: 25 Jun 91 12:38:56 GMT
References: <431@hfsi.UUCP> <1991Jun24.005213.944@convex.com> <432@hfsi.UUCP> <1991Jun24.173951.17552@convex.com>
Reply-To: emcphers@manu.cs.vt.edu (Frank McPherson)
Organization: HFS Inc., McLean VA.
Lines: 16

In article <1991Jun24.173951.17552@convex.com> swarren@convex.com (Steve Warren) writes:
>                               [...]
>But then we're not talking about "normally," are we?  We are discussing
>a security hole that allows anyone with one semester of OS knowledge to
>become root on all of these machines (the ones with your custom floppy
>filesystem hack on them).  Once you become root, forget about restrictions
>of where you can store files.  There are none.  Root is the boss.

I'm curious: how do you propose to fix this?  Is it an operating system 
problem?  Is it possible to securly allow anyone to mount a floppy?  
From what you've already said, I guess that requires asking if it's
possible to make sure that there are no setuid'd files on the disk, or
it means ignoring the setuid bit.  Which would be better?  Why would it
be better?  

- Frank McPherson	INTERNET: emcphers@manu.cs.vt.edu --