[614] in linux-security and linux-alert archive
Re: [linux-security] SlackWare 3.0 insecurity
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Fri Feb 23 16:34:34 1996
Date: Fri, 23 Feb 1996 15:12:50 -0500
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: Doctor Who <drwho@sinister.com>
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: Your message of Fri, February 23, 1996 00:29:54 -0500
"DW" == Doctor Who <drwho@sinister.com> writes:
DW> If you mount the CDROM, it is mounted SUID-enabled. This is bad as
DW> many CDs include things such as the live filesystem on the Slackware
DW> CD. Thus, all a cracker has to do is run /cdrom/live/usr/bin/splitvt
DW> or exploit some other horrible old SUID-bug and root is obtained.
Distribution developers/maintainers just can't completely protect
sysadmins from their own blunders IMHO; if a sysadmin is foolish enough
to allow his/her removable media to be mounted setuid, and said sysadmin
keeps a CD-ROM mounted like this...well, that's just asking for trouble.
(The way I view it, the fstab provided with distributions should be
considered as nothing more than a basic starting point for a
system--though I'm sure that others will debate that statement.)
As many already know, here are a few generally smart things to do (not
meant to be a comprehensive list):
All FS's except / should be listed as 'nodev' in the fstab.
All FS's except / and /usr should usually be 'nosuid' (unless
explicitly required otherwise).
All removable media should be both 'nodev' and 'nosuid', which
is implicit (along with 'noexec') if it carries the 'user' option.
Ditto for NFS filesystems ('nodev' and 'nosuid') unless, again,
the situation dictates otherwise.
The truly cautious/paranoid may also want to mount some other
things 'noexec' (e.g. FTP/archive areas).
DW> Fix this by changing the line in /etc/fstab which reads:
DW> /dev/cdrom /cdrom iso9660 ro 1 1
DW> to read:
DW> /dev/cdrom /cdrom iso9660 nosuid ro 1 1
^^typo.
The fourth (options) field is a comma-separated list, as in:
/dev/cdrom /cdrom iso9660 nosuid,ro 1 1
--Up.
--
Jeff Uphoff - systems/network admin. | juphoff@nrao.edu
National Radio Astronomy Observatory | juphoff@bofh.org.uk
Charlottesville, VA, USA | jeff.uphoff@linux.org
PGP key available at: http://www.cv.nrao.edu/~juphoff/
