ccw (04/06/83)
I'm thinking of making our dual density floppy drive available for general users to mount a UNIX filesystem over a specific directory. I've talked with one of the local super-gurus about this, and his suggestion is to write a quick little program that goes out to the disk and changes all file ownership to that of the user wanting to mount the diskette. I can also see a problem if the diskette is exchanged with another AFTER the mount. Has anybody out there thought about these problems and if there is any really secure way to allow general users to mount a filesystem?
rascal (04/08/83)
At Wisconsin, a long time ago, our v6 was modified to only allow suid-programs to run from certain devices. In particular, our mountable floppies were excluded. I'm pretty sure the code was just kludged to check, but I think the device table could be modified to hold this information.
smk (04/15/83)
All you have to do is use ncheck -s to check that no special files or setuid files are used and performa a fsck. If both succeed, the file system can be mounted by users. We have a file called /etc/fstypes that contains the special file, size, interleave, and list of users allowed to mount. Commands called initialize, attach, and detach allow users to do this themselves. The only drawback is when they replace disks currently mounted with a `devious' disk.
borman (04/21/83)
We have two RX02 floppies, (on a PDP 11/70 running V7)
and have been allowing users to mount and unmout the for years,
through commands named rxmount and rxumount, which do the obvious things.
It does a dcheck -s before it mounts it to check the integrity of the
floppy and to look for setuid programs. If the dcheck fails, the user
gets a message to go see the system manager to get it fixed. We are
kind of isolated here, no other systems with RX02s around for people
to get at, and since double density RX02 is not real standard, we don't
have to worry much about people mucking the file system. (The user has
access only to double density, not single density) This system is great
except for the old floppy-switch-after-the-mount routine.
We were just talking about it recently, and it suddenly occured to
me what the obvious solution is to people mounting and then switching
floppies (two identical floppies, except one has say, a program setuid
sys). In sys1.c, when looking at the setuid bit, also check what
device the file resides on. If it is the floppy, don't honor the
setuid/setgid bits. Thus, you are effectivly declaring certian
devices, which are always going to be user-mounted filesystems,
to not have any set-uid bits. Of course, you could still twiddle
the ownership, but if you disallow setuid/setgid, who cares? The
main security problem has been removed. We have not implemented
this yet, since it is rather low on our list of projects, but it
would not take much work to do. probably the cleanest way to
implement this would be to add a setuidok field to the block
device switch table, and then just consult the table to see if
it is ok to honor the setuid/setgid bits.
-Dave Borman, {ihnp4|harpo}!stolaf!borman