Path: utzoo!utgpu!watmath!clyde!att!pacbell!ames!xanth!nic.MR.NET!hal!ncoast!allbery From: allbery@ncoast.UUCP (Brandon S. Allbery) Newsgroups: comp.unix.wizards Subject: Re: Mounting floppies Message-ID: <13202@ncoast.UUCP> Date: 3 Dec 88 17:16:44 GMT References: <129@minya.UUCP> <8800002@gistdev> <5682@louie.udel.EDU> Reply-To: allbery@ncoast.UUCP (Brandon S. Allbery) Followup-To: comp.unix.wizards Organization: Cleveland Public Access UN*X, Cleveland, Oh Lines: 49 As quoted from <5682@louie.udel.EDU> by law@udel.EDU (Jeff Law): +--------------- | In article <8800002@gistdev> flint@gistdev.UUCP writes: | >I think it would be nice to have an option on mount that would basically say | >"If the suid or guid bits are set on any files not owned by me, then clear the | >bits and then mount the floppy." | suid programs are not the only problem with allowing users to mount floppies, | what is going to stop me from putting my floppy in the drive and saying | mount /dev/floppy /etc +--------------- I responded to the original posting by mail with a fairly secure approach. I should note that such an approach limits the usefulness of the floppy drive, however. Start out by making the floppy ?rwx------ root. (The ? is "c" or "b"; this must be done to both raw and character devices, and MUST BE DONE TO ALL FLOPPY DRIVES ON THE SYSTEM.) A setuid program is then used to mount floppies. It checks the floppy in question for a magic number in the superblock (most superblocks have an unused area where such a number could be hidden) which identifies the uid of the owner -- which must be that of the person doing the mount -- and that this is a special user-mountable floppy. (Root must build and flag the floppy because of the permissions.) It then will only mount the floppy on an empty directory in the user's directory hierarchy, whose path (at least from below the home dir on down) contains no symlinks and which is owned by the user doing the mount. It also might be a good idea to refuse mounts by people logged in on non-local terminals, although this isn't necessarily so. (Back when ncoast was a TRS-80 Model 16 with a 15MB disk, my home directory was the floppy drive....) The minus of this scheme is that only root can use the floppy for non-mounted disks (tar/cpio/whatever). The plus is that a user can have his/her own set of mountable disks, and not only can the user not break into the system, but nobody else can "borrow" the disks and mount them to snoop around in them. No doubt there are a few things I overlooked, but this is a pretty good start and can probably be refined to remove any remaining security holes. Note that under System V without symlinks, it's pretty secure already.... ++Brandon -- Brandon S. Allbery, comp.sources.misc moderator and one admin of ncoast PA UN*X uunet!hal.cwru.edu!ncoast!allbery ncoast!allbery@hal.cwru.edu allberyb@skybridge.sdi.cwru.edu allbery@uunet.uu.net comp.sources.misc is moving off ncoast -- please do NOT send submissions direct Send comp.sources.misc submissions to comp-sources-misc@.