ccw (04/06/83)
I'm thinking of making our dual density floppy drive available for general users to mount a UNIX filesystem over a specific directory. I've talked with one of the local super-gurus about this, and his suggestion is to write a quick little program that goes out to the disk and changes all file ownership to that of the user wanting to mount the diskette. I can also see a problem if the diskette is exchanged with another AFTER the mount. Has anybody out there thought about these problems and if there is any really secure way to allow general users to mount a filesystem?
rascal (04/08/83)
At Wisconsin, a long time ago, our v6 was modified to only allow suid-programs to run from certain devices. In particular, our mountable floppies were excluded. I'm pretty sure the code was just kludged to check, but I think the device table could be modified to hold this information.
smk (04/15/83)
All you have to do is use ncheck -s to check that no special files or setuid files are used and performa a fsck. If both succeed, the file system can be mounted by users. We have a file called /etc/fstypes that contains the special file, size, interleave, and list of users allowed to mount. Commands called initialize, attach, and detach allow users to do this themselves. The only drawback is when they replace disks currently mounted with a `devious' disk.
borman (04/21/83)
We have two RX02 floppies, (on a PDP 11/70 running V7) and have been allowing users to mount and unmout the for years, through commands named rxmount and rxumount, which do the obvious things. It does a dcheck -s before it mounts it to check the integrity of the floppy and to look for setuid programs. If the dcheck fails, the user gets a message to go see the system manager to get it fixed. We are kind of isolated here, no other systems with RX02s around for people to get at, and since double density RX02 is not real standard, we don't have to worry much about people mucking the file system. (The user has access only to double density, not single density) This system is great except for the old floppy-switch-after-the-mount routine. We were just talking about it recently, and it suddenly occured to me what the obvious solution is to people mounting and then switching floppies (two identical floppies, except one has say, a program setuid sys). In sys1.c, when looking at the setuid bit, also check what device the file resides on. If it is the floppy, don't honor the setuid/setgid bits. Thus, you are effectivly declaring certian devices, which are always going to be user-mounted filesystems, to not have any set-uid bits. Of course, you could still twiddle the ownership, but if you disallow setuid/setgid, who cares? The main security problem has been removed. We have not implemented this yet, since it is rather low on our list of projects, but it would not take much work to do. probably the cleanest way to implement this would be to add a setuidok field to the block device switch table, and then just consult the table to see if it is ok to honor the setuid/setgid bits. -Dave Borman, {ihnp4|harpo}!stolaf!borman