[12211] in bugtraq
No subject found in mail header
daemon@ATHENA.MIT.EDU (Bruno Treguier)
Tue Oct 12 03:08:27 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <199910111609.SAA21427@clio.shom.fr>
Date: Mon, 11 Oct 1999 18:09:36 +0200
Reply-To: Bruno Treguier <Bruno.Treguier@SHOM.FR>
From: Bruno Treguier <Bruno.Treguier@SHOM.FR>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hello,
On May 10, Jonas Stahre <yes@allevil.campus.luth.se> sent a message about a
problem he encountered on Solaris 7 with rmmount not disabling set-uid
programs
on external devices like CD-ROMs or floppies, in spite of what is written in
the
man page.
(Message-id: <Pine.BSF.4.05.9905100836580.94142-100000@allevil.campus.luth.se
>)
I did not pay much attention at that time (sorry Jonas :) ), but we just ran
into that problem a few days ago, as we are disseminating Solaris 7 here on
our client workstations.
The obvious consequence is that any user having physical access to the
workstation and having an account on it, is able, by a simple "volcheck",
to gain root access if vold is running.
We called Sun today, and obviously they don't give a damn. They refuse to
consider this as a bug, as long as it is possible to correct the problem via
the rmmount.conf file (which is true).
However, I don't understand Sun's point of view. This is obviously a security
issue in rmmount's behaviour, which is NOT the same in previous versions of
Solaris. Moreover, the man page still reflects what this behaviour should be.
Any ideas about what can be done to make them change their mind about the
severity of this "feature" :) ? Or am I really paranoid ?
Regards,
Bruno
--
-- Service Hydrographique et Oceanographique de la Marine --- Service INF
-- 13, rue du Chatellier --- BP 426 --- 29275 Brest Cedex, FRANCE
-- Phone: +33 2 98 22 17 49 --- Email: Bruno.Treguier@shom.fr
