[974] in linux-security and linux-alert archive
Re: [linux-security] Re: list of setuid programs (was: Security hole in Abuse)
daemon@ATHENA.MIT.EDU (Richard Huveneers)
Sat Jul 27 10:49:07 1996
To: linux-security@tarsier.cv.nrao.edu
Date: 27 Jul 1996 10:53:52 GMT
From: richard@hekkihek.hacom.nl (Richard Huveneers)
Reply-To: richard@hekkihek.hacom.nl
In article <199607242218.SAA13926@hcs.HARVARD.EDU>, dholland@hcs.HARVARD.EDU (David Holland) writes:
> > mount: mount, umount.
>
>I'm told there's a buffer overrun in mount, but I haven't looked at it
>yet. Smbmount is reportedly also not particularly secure.
I did a 'chmod u-s' on mount and umount a few months ago. As far as I can see,
this only breaks the 'user' mount option. In short, if you only issue mount
and umount as root, there no point in installing it suid root.
[REW: Right: I only noticed the missing s-bits when I tried using mount
as a normal user again after I had upgraded. If you don't need them
you could leave the s-bits off. This is also the recommendation for all
setuid tools that you have on your system. If you don't need them
executed at all, or want to require root-privilidges, you can simply take
the s-bits off.]
Richard Huveneers.