home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!olivea!spool.mu.edu!agate!doc.ic.ac.uk!uknet!mcsun!sunic!kth.se!cyklop.nada.kth.se!paf
- From: paf@cyklop.nada.kth.se (Patrik Fltstrm)
- Newsgroups: comp.security.misc
- Subject: Re: Setuid script - is this unsecure?
- Message-ID: <1992Nov5.071354.24042@kth.se>
- Date: 5 Nov 92 07:13:54 GMT
- Sender: usenet@kth.se (Usenet)
- Organization: Royal Institute of Technology, Stockholm, Sweden
- Lines: 28
- Nntp-Posting-Host: cyklop.nada.kth.se
-
- In article <1992Nov5.030530.24039@zip.eecs.umich.edu> chiner@nova.gmi.edu writes:
- >rickt@bnr.co.uk (Rick Tait) writes:
- >: I recently installed these shell scripts on my machine (on which I am root),
- >: and I'd like to know if I'm compromising it's security. Basically, they
- >: just allow the users to mount/umount/eject the floppy disk (pcfs).
- >
- >: /usr/etc/mount -t pcfs /dev/fd0 /pcfs
- > ^-o nosuid
- >:
- >and some other problems... I'll point out, that all the mount commands
- >need a -o nosuid... otherwise, anyone who can get a root shell on a disk,
- >can get root on your system...
-
- Because he is mounting the floppy as a PC-filesystem and not a BSD
- filesystem (-t pcfs), there is no need for the nosuid switch.
-
- But IF you have mounted it as a BSD filesystem, you have needed
- the nosuid switch and also a switch for nodev (do not accept
- devices on this device) which you don't have in SunOS, well, not
- in 4.1.3 at least.
-
- The switch nodev and nosuid is in BSD4.4 so I still hope that users
- can be able to mount there own floppies in the future. You know, even
- if backups are made every hour, they can fail, and it's very
- comfortable for a user to at least be able to take care of his/her own
- files.
-
- paf
-
