[3178] in bugtraq
Re: [linux-security] Re: Possible bufferoverflow condition in
daemon@ATHENA.MIT.EDU (don@paranoia.com)
Thu Aug 15 16:00:36 1996
Date: Thu, 15 Aug 1996 11:46:09 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: "don@paranoia.com" <don@paranoia.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.LNX.3.91.960814011006.31250C-100000@tscnet.com>
On Wed, 14 Aug 1996, Mike Jackson <mhjack@tscnet.com> wrote:
> On Tue, 13 Aug 1996, Jeff Uphoff wrote:
>
> > "MA" == Mike Acar <mike@contract.kent.edu> writes:
> >
> > MA> Speaking of suid binaries, *why* are /bin/mount and /bin/umount suid?
> > MA> These shouldn't be run by anybody but the superuser.
> >
> > Linux supports the concept of user-mountable filesystems (via the option
> > specification "user" in /etc/fstab), allowing non-root users to mount
> > and unmount e.g. removable media like CD-ROM's and floppies. This
> > functionality is obviously not available unless mount/umount are suid
> > root.
>
> This would be a good canidate for sudo. As any good sysadmin
> will keep telling you... Disable ALL suid programs that are not
> necessary for the normal operation of the system. If a user needs to
> mount filesystems, use sudo to all the operation as root.
>
> The same point goes for any other program. Very few programs
> need to actually be suid root. Most systems are using ppp these days,
> rather then slip. But how many systems still have dip set suid root?!
> I'd bet a lot do.
>
> Check your systems! Bugs in programs are found every day.
> Disable what is not needed.
>
> If only root mounts on your system, then use mode 700 for that
> mount command..
While I agree that disabling unneeded suid programs is definitely a good
idea (though mode 700 is a bit of overkill), I think that this particular
feature of mount can not be implemented well outside of the mount program
itself. The idea is to let any user mount/umount only _certain_
filesystems, specified in /etc/fstab with the 'user' mount option.
The problem in mount, aside from the obvious buffer overrun, is that the
most basic maxim for coding privileged programs was ignored--again. All
privileged programs should run without those privileges enabled except
during execution of the critical code that needs them.
For example:
main()
{
... /* variable decls */
seteuid( getuid() );
... /* non-privileged code, including sprintf() */
seteuid( 0 );
mount( ... );
seteuid( getuid() );
... /* more non-privileged code */
}
If mount were written like this, then I seriously doubt that a minor
bounds-checking goofup could have caused this major security problem.
Humbly pointing out the obvious,
--
Michael E. Glasgow -- don@paranoia.com
http://www.paranoia.com/
"The only thing necessary for the triumph of evil is for good men to do
nothing." -- Edmund Burke
