bernie@metapro.DIALix.oz.au (Bernd Felsche) (06/21/91)
In <319@devnull.mpd.tandem.com> lance@mpd.tandem.com (Lance Hartmann) writes: >Forgive my ignorance, but what do you mean by "scanning the inodes"? Yes, >I know what an inode is, but I'm curious as to your procedure. I guess I'm relying on System V.3 Unix here, but I suspect that not much has changed: ncheck(8) has all the gruesome details. The "-s" option scans for special files and setuid files. >you could read the raw floppy device, check the super block, etc. >before mounting, but is there a EASY, KNOWN way for checking the stat's of the >raw contents? For example, you'd certainly want to make sure that there >weren't ANY files with setuid/setgid bits set (particularly, root owned!). >I know that all the info would be there, but am wondering how easy/difficult >it would be to do this.... Simple :-) Almost trivial. ncheck will even pick up naughty devices. -- Bernd Felsche, _--_|\ #include <std/disclaimer.h> Metapro Systems, / sold \ Fax: +61 9 472 3337 328 Albany Highway, \_.--._/ Phone: +61 9 362 9355 Victoria Park, Western Australia v Email: bernie@metapro.DIALix.oz.au
wschmidt@fix (Wolfram Schmidt) (06/22/91)
Quote from the Ultrix 3.1 mount manual page (whithout permission, of course):
General users can only mount file systems with certain res-
trictions. For example, the user, other than the superuser,
performing the mount must own the directory directory.
Furthermore, no users other than the superuser can execute
setuid or setgid programs on the mounted file systems. In
addition, users other than the superuser cannot access block
or special character devices such as rra0g on the mounted
file systems.
If it works, that's what we need!
-Wolframdillon@overload.Berkeley.CA.US (Matthew Dillon) (06/23/91)
There is no way to secure a floppy. The user could easily put a setuid
root executable on it and then it would not really matter *where* it
is mounted.
-Matt
--
Matthew Dillon dillon@Overload.Berkeley.CA.US
891 Regal Rd. uunet.uu.net!overload!dillon
Berkeley, Ca. 94708
USAswarren@convex.com (Steve Warren) (06/24/91)
In article <dillon.8977@overload.Berkeley.CA.US> dillon@overload.Berkeley.CA.US (Matthew Dillon) writes: > There is no way to secure a floppy. The user could easily put a setuid > root executable on it and then it would not really matter *where* it > is mounted. The utility that calls mount would not allow a disk with setuid root executables on it. Since the Amiga knows when a floppy is ejected, it should be possible to note such action and unmount the filesystem upon ejecting the disk. This would preclude mounting-and-swapping to get around security. -- _. --Steve ._||__ Warren v\ *| V
peter@ficc.ferranti.com (Peter da Silva) (06/26/91)
In article <dillon.8977@overload.Berkeley.CA.US> dillon@overload.Berkeley.CA.US (Matthew Dillon) writes: > There is no way to secure a floppy. The user could easily put a setuid > root executable on it and then it would not really matter *where* it > is mounted. There should be a file system type that doesn't allow special files. If this was AmigaDOS, Matt Dillon would have written a handler for it in the time it takes me to type this message, but UNIX is a mite more complex. How about it, Commodore? You could sell it twice... once on AMIX, and once to SCO for their next secure product. -- Peter da Silva; Ferranti International Controls Corporation; +1 713 274 5180; Sugar Land, TX 77487-5012; `-_-' "Have you hugged your wolf, today?"
ag@amix.commodore.com (Keith Gabryelski) (06/26/91)
dillon@overload.Berkeley.CA.US (Matthew Dillon) writes: > There is no way to secure a floppy. Sure there is: one rule must be followed, though. If a user mounts a filesystem then set[ug]id or device files on that fileystem should not work. Pax, Keith -- Keith Gabryelski Advanced Products Group ag@amix.commodore.com ...!cbmvax!amix!ag
asg@sage.cc.purdue.edu (The Grand Master) (06/27/91)
In article <2761@amix.commodore.com> ag@amix.commodore.com (Keith Gabryelski) writes: }dillon@overload.Berkeley.CA.US (Matthew Dillon) writes: }> There is no way to secure a floppy. } }Sure there is: one rule must be followed, though. If a user mounts a }filesystem then set[ug]id or device files on that fileystem should not work. } }Pax, Keith That is not all. Device files must also be ignored. What if I use my Amiga3000UX at home and create a floppy with a device file that has the device numbers of /dev/kmem, and then make it 777. (It would be in my uid and not suid). Now I have a way to alter and/or poke throught kernel memory no? So device files must also be ignored. Bruce --------- ### ## Courtesy of Bruce Varney ### # aka -> The Grand Master # asg@sage.cc.purdue.edu ### ##### # PUCC ### # ;-) # # ;'> # ##
bernie@metapro.DIALix.oz.au (Bernd Felsche) (06/27/91)
In <2761@amix.commodore.com> ag@amix.commodore.com (Keith Gabryelski) writes: >dillon@overload.Berkeley.CA.US (Matthew Dillon) writes: >> There is no way to secure a floppy. >Sure there is: one rule must be followed, though. If a user mounts a >filesystem then set[ug]id or device files on that fileystem should not work. Let's just refuse to mount a floppy with set[ug]id files and devices, except for when "root" mounts it. The tools are there. Why make the thing _more_ complex? A setuid program, which runs /etc/ncheck first, inspect its output for anomalies, and the exec's /etc/mount with appropriate arguments if it is safe. It could even log intrusion attempts for the paranoid! main(argc,argv) integer argc; char *argv[]; { /* some stuff as preamble */ if ( (user = getuid()) == 0 ) safe = FALSE ; else safe = TRUE; if ( ! safe ) { /* fancy footwork to run /etc/ncheck on a pipe */ /* pipe() */ /* fork() */ /* close fds not req'd */ /* exec /etc/ncheck in child */ /* parse output */ if ( specials ) { /* funny business */ /* break pipe, killing ncheck */ /* log attempt */ /* report error */ exit(1); } } /* do the mount */ execl(/*the mount*/); } The main danger is when people insert floppies in the drive which are only slightly different to the one mounted. The securemount program could read in all the directories as soon a the floppy's mounted "for performance reasons" so that the blocks are buffered, and won't be read from the floppy if it is changed. Will the device driver return an error if a disk change has occurred since the block device was mounted?? It seems like the right place to handle this sort of thing. -- Bernd Felsche, _--_|\ #include <std/disclaimer.h> Metapro Systems, / sold \ Fax: +61 9 472 3337 328 Albany Highway, \_.--._/ Phone: +61 9 362 9355 Victoria Park, Western Australia v Email: bernie@metapro.DIALix.oz.au