Path: utzoo!attcan!uunet!ncrlnk!ncr-sd!hp-sdd!hplabs!decwrl!labrea!rutgers!tut.cis.ohio-state.edu!cwjcc!hal!ncoast!allbery From: allbery@ncoast.UUCP (Brandon S. Allbery) Newsgroups: comp.unix.wizards Subject: Re: Mounting floppies Message-ID: <13239@ncoast.UUCP> Date: 11 Dec 88 16:37:28 GMT References: <129@minya.UUCP> <8800002@gistdev> <5682@louie.udel.EDU> <13202@ncoast.UUCP> <404@hropus.UUCP> Reply-To: allbery@ncoast.UUCP (Brandon S. Allbery) Followup-To: comp.unix.wizards Organization: Cleveland Public Access UN*X, Cleveland, Oh Lines: 41 As quoted from <404@hropus.UUCP> by jgy@hropus.UUCP (John Young): +--------------- | > (I [allbery@ncoast) suggest a secure user floppy mounter) | | No, you cannot rely on a system which attempts to stop bad things | from being done to removable media, the effort should on defending | against pressumed bad media. | Therefore you still need your suid (sgid might be better?) | mount command to check for s(uid|gid) | programs and either clear them or refuse to mount. +--------------- This can be done as well; after all, a linear pass through a floppy's ilist doesn't take very long... and you *do* have a point, since someone could build a floppy on an unprotected system and set the proper flags on it, etc. (A mountable user floppy doesn't need suid/sgid files anyway. Special files (i.e. character or block devices, but not necessarily FIFOs or Xenix name files, etc. [and do BSD AF_UNIX sockets bind()'ed to filenames still work after the last close on the socket?]) would probably cause a refusal to mount, since otherwise the mount utility needs to know quite a bit more about the filesystem. Now that I think about it, both conditions (my non-modifiability and your security checking) are necessary, but neither is sufficient by itself. --Query: do we need to avoid symlinks as well? From what I know about them, it might not be necessary because they can't grant access to otherwise protected files, but.... BTW, sgid won't work in this case; the kernel returns EPERM if anyone except root tries to do a mount(). Maybe I'll whip up such a program. Won't do much for ncoast (no floppies...) but might be useful on the job. ++Brandon -- Brandon S. Allbery, comp.sources.misc moderator and one admin of ncoast PA UN*X uunet!hal.cwru.edu!ncoast!allbery ncoast!allbery@hal.cwru.edu allberyb@skybridge.sdi.cwru.edu allbery@uunet.uu.net comp.sources.misc is moving off ncoast -- please do NOT send submissions direct Send comp.sources.misc submissions to comp-sources-misc@.