Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!samsung!uunet!mcsun!unido!mikros!mwtech!martin
From: martin@mwtech.UUCP (Martin Weitzel)
Newsgroups: comp.unix.questions
Subject: Re: mounting and setuid question...
Message-ID: <541@mwtech.UUCP>
Date: 13 Dec 89 21:21:35 GMT
References: <23@gagme.uucp> <5338@omepd.UUCP>
Reply-To: martin@mwtech.UUCP (Martin Weitzel)
Organization: MIKROS Systemware, Darmstadt/W-Germany
Lines: 47

In article <5338@omepd.UUCP> merlyn@iwarp.intel.com (Randal Schwartz) writes:
>In article <23@gagme.uucp>, gulik@gagme (Gregory Gulik) writes:
>| Is it possible to set up a shell script that will
>| allow non-super-user people to mount a floppy file system?
>
>Yes... but...
[description of security hole deleted]

Several security holes occur, if you allow to mount a floppy
(more general: a file system on removable media) for everyone:

1) There may be root-suid/sgid files on the media, which allow
   intrusion into the system. (The files may be produced in
   advance on some other system, where the intruder has root
   privileges).

   As much as I know, this problem was cured in very recent UNIX
   releases by *not* obbeying the s-bits in file systems, which
   were not mounted by the super-user.

2) There may be i-nodes that point to device-files like /dev/mem
   or disk-partitions. This would enable any bad guy, also to
   intrude into the system. For the 'real unix hacker' everything
   is open then (even, if he/she is originally locked in a
   chroot-ed environment!!).

   I don't know, if this was fixed together with problem 1).

3) Because the mount-command was not designed to be run setuid
   to root, it doesn't make any checks if you have access-rights
   to the mount point. So you could carefully prepare a floppy
   with a file named 'passwd' containing the one line "a::0:0::/:"
   and mount it .... (guess where - and be sure also to include
   the unmount-command :-))

To cure these problems, I've written a collection of shell-scripts
and c-programs, which look at a file system on removable media with
the same accuracy as a system operator would (should) do, before
mounting some floppy a user brings to him or her. The programs
care for umounting too, so that a malicious user could not unmount
some resource at will.

If anyone out is interested, I'm willing to email the programs.
I'll also consider to post them, if I receive sufficient requests
within the next days.
-- 
<<< MW -- email: see header -- voice: 49-(0)6151-6 56 83 >>>