[974] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Re: list of setuid programs (was: Security hole in Abuse)

daemon@ATHENA.MIT.EDU (Richard Huveneers)
Sat Jul 27 10:49:07 1996

To: linux-security@tarsier.cv.nrao.edu
Date: 27 Jul 1996 10:53:52 GMT
From: richard@hekkihek.hacom.nl (Richard Huveneers)
Reply-To: richard@hekkihek.hacom.nl

In article <199607242218.SAA13926@hcs.HARVARD.EDU>, dholland@hcs.HARVARD.EDU (David Holland) writes:

> > mount: mount, umount.
>
>I'm told there's a buffer overrun in mount, but I haven't looked at it
>yet. Smbmount is reportedly also not particularly secure.

I did a 'chmod u-s' on mount and umount a few months ago. As far as I can see,
this only breaks the 'user' mount option. In short, if you only issue mount
and umount as root, there no point in installing it suid root.

[REW: Right: I only noticed the missing s-bits when I tried using mount
as a normal user again after I had upgraded. If you don't need them 
you could leave the s-bits off. This is also the recommendation for all
setuid tools that you have on your system. If you don't need them
executed at all, or want to require root-privilidges, you can simply take
the s-bits off.]

Richard Huveneers.

home help back first fref pref prev next nref lref last post