From: utzoo!decvax!harpo!eagle!mhtsa!alice!npoiv!houxm!ihnp4!stolaf!borman
Newsgroups: net.unix-wizards
Title: Re: Allowing users to mount disks
Article-I.D.: stolaf.889
Posted: Thu Apr 21 01:08:59 1983
Received: Wed Apr 27 06:39:16 1983


	We have two RX02 floppies, (on a PDP 11/70 running V7)
and have been allowing users to mount and unmout the for years,
through commands named rxmount and rxumount, which do the obvious things.
It does a dcheck -s before it mounts it to check the integrity of the
floppy and to look for setuid programs.  If the dcheck fails, the user
gets a message to go see the system manager to get it fixed.  We are
kind of isolated here, no other systems with RX02s around for people
to get at, and since double density RX02 is not real standard, we don't
have to worry much about people mucking the file system.  (The user has
access only to double density, not single density)  This system is great
except for the old floppy-switch-after-the-mount routine.

We were just talking about it recently, and it suddenly occured to
me what the obvious solution is to people mounting and then switching
floppies (two identical floppies, except one has say, a program setuid
sys).  In sys1.c, when looking at the setuid bit, also check what
device the file resides on.  If it is the floppy, don't honor the
setuid/setgid bits.  Thus, you are effectivly declaring certian
devices, which are always going to be user-mounted filesystems,
to not have any set-uid bits.  Of course, you could still twiddle
the ownership, but if you disallow setuid/setgid, who cares? The
main security problem has been removed.  We have not implemented
this yet, since it is rather low on our list of projects, but it
would not take much work to do.  probably the cleanest way to
implement this would be to add a setuidok field to the block
device switch table, and then just consult the table to see if
it is ok to  honor the setuid/setgid bits.
		-Dave Borman, {ihnp4|harpo}!stolaf!borman