Re: Bug#27050 (fdutils): A cause for security concern?
Hello Ben, Avery and Wichert!
On Wed, Jan 20, 1999 at 12:50:59AM +0100, Wichert Akkerman wrote:
> Previously Anthony Fok wrote:
> > As the Slink deep freeze and release are impending, I would like to ask your
> > advice: Should I follow the suggestion given by the bug reporter Thomas
> > Roessler?
>
> I think so. For people who want to mount floppies without being root
> you can also use a line in /etc/fstab like this:
>
> /dev/fd0 /floppy auto noauto,noexec,nodev,user 0 0
Yes, I already have something similar in my /etc/fstab. The problem is
that fdmount is independent of mount. It doesn't even touch
/etc/fstab.
Unfortunately, the suggestion "chown root.floppy" and "chmod [12]754"
won't work either because fdmount.c has this check in it:
if (geteuid()!=0)
die("Must run with EUID=root");
I am a little bit tempted to comment that line out, but it's probably
there for a reason, and I am definitely not qualified to hack
fdmount.c, so for now I should probably add a /usr/sbin/fdutilsconfig
as Thomas has suggested.
> fdmount should probably be audited so we really know if it's secure. You
> could submit it to the security-auditing list
> (security-audit@ferret.lmh.ox.ac.uk).
Thanks for the info!
> > If so, should I fix this bug before Slink is out?
>
> Yes. I would hate to discover a vulnerability and release an advisory
> days after we release slink..
Okay, I will try to do it soon then. Hopefully I will have my school
assignments finished before the end of the weekend. :-)
Thanks a lot for all your advice and suggestions!
Anthony
--
Anthony Fok Tung-Ling Civil and Environmental Engineering
foka@ualberta.ca, foka@debian.org University of Alberta, Canada
anthony_fok@catholic.org Keep smiling! *^_^*
Come visit Our Lady of Victory Camp -- http://www.olvc.ddns.org/
or http://www.ualberta.ca/~foka/OLVC/
Reply to: