grr@cbmvax.UUCP (George Robbins) (05/15/89)
Somewhere around Ultrix 2.x users gained the ability to mount and
dismount filesystems on their own, both NFS and conventional, assuming
the objects have (in)appropriate protections.
While there seem to be reasonable precautions against users mounting
uncool filesystems and gaining some advantage from their contents,
this does raise some additional security concerns. One issue is that
you must make sure that you must make sure there are *no* generally
writable "block special devices" (normally disk partitions) since
then any user could construct a file system image, which would, if it
just happened to contain various corruptions, crash the system promptly
and efficiently after mounting and accessing...
A second are of concern is an environment where there are globally
exported filesystems, where the administrator expects to control
which segments are mounted and their read/write status on a particular
client system through the mount options in /etc/fstab. Since any user
can mount filesystems themselves, such restrictions can easily be
circumverted. Perhaps is is only a documentation issue, but older
SunOS releases ~3.x don't even seem to provide a -o or -ro flag in
/etc/exports to export a filesystem read-only...
Anyway, besides simply mentioning the "problem" are a couple of ways
to improve security that don't seem to be mentioned in the "Guide to
Network File System" manual. One would be to change the protections
on /bin/mount, /bin/nfs_mount, /bin/ufs_mount so that casual users can't
run them. This, of course, doesn't prevent a clever user from issuing
mount syscalls himself. The other seems to be to alter an undocumented
kernal global named "turn_off_usrmnt" which seems to restore the
traditional mode of operation - only superusers can mount filesystems...
To turn off user mounts in the running system (put this in /etc/rc.local):
echo "turn_off_usrmnt/W 1" | adb -w -k /vmunix /dev/mem
change the W 1 to a W 0 to turn it back on...
To "permenantly" disable the option, by modifying the kernel image:
echo "turn_off_usrmnt?W 1" | adb -w /vmunix
I've only played with this under 2.2, but the same global remains
in 3.0 -- use undocumented features at your own risk, of course,
since they are often accompanied by undocumented bugs... 8-)
Speaking of which, does DEC have any plans to actually implement the
other cases in the filesystem switch? I'd think that USG (non BSD FFS)
filesystems would be rather easy, since the code was in 4.1BSD. Support
for RFS would be quite useful around here, since we've got little toy
SVr3 systems sprouting up everywhere...
--
George Robbins - now working for, uucp: {uunet|pyramid|rutgers}!cbmvax!grr
but no way officially representing arpa: cbmvax!grr@uunet.uu.net
Commodore, Engineering Department fone: 215-431-9255 (only by moonlite)