Mounting floppies

Mon Dec 5 09:59:00 AEST 1988

> As quoted from <5682 at louie.udel.EDU> by law at udel.EDU (Jeff Law):
> +---------------
> | In article <8800002 at gistdev> flint at gistdev.UUCP writes:
> | >I think it would be nice to have an option on mount that would basically say
> | >"If the suid or guid bits are set on any files not owned by me, then clear the
> | >bits and then mount the floppy."
> | suid programs are not the only problem with allowing users to mount floppies,
> | what is going to stop me from putting my floppy in the drive and saying
> | mount /dev/floppy /etc
> +---------------
> 
> I responded to the original posting by mail with a fairly secure approach.
> I should note that such an approach limits the usefulness of the floppy
> drive, however.
> 
> Start out by making the floppy ?rwx------ root.  (The ? is "c" or "b"; this
> must be done to both raw and character devices, and MUST BE DONE TO ALL
> FLOPPY DRIVES ON THE SYSTEM.)
> 
> A setuid program is then used to mount floppies.  It checks the floppy in
> question for a magic number in the superblock (most superblocks have an
> unused area where such a number could be hidden) which identifies the uid of
> the owner -- which must be that of the person doing the mount -- and that
> this is a special user-mountable floppy.  (Root must build and flag the
> floppy because of the permissions.)  It then will only mount the floppy on
> an empty directory in the user's directory hierarchy, whose path (at least
> from below the home dir on down) contains no symlinks and which is owned by
> the user doing the mount.  It also might be a good idea to refuse mounts by
> people logged in on non-local terminals, although this isn't necessarily so.
> (Back when ncoast was a TRS-80 Model 16 with a 15MB disk, my home directory
> was the floppy drive....)
> 
> The minus of this scheme is that only root can use the floppy for non-mounted
> disks (tar/cpio/whatever).  The plus is that a user can have his/her own set
> of mountable disks, and not only can the user not break into the system, but
> nobody else can "borrow" the disks and mount them to snoop around in them.
> 
> No doubt there are a few things I overlooked, but this is a pretty good
> start and can probably be refined to remove any remaining security holes.
> 
> Note that under System V without symlinks, it's pretty secure already....
> 
> ++Brandon

No, you cannot rely on a system which attempts to stop bad things
from being done to removable media, the effort should on defending
against pressumed bad media.
Therefore you still need your suid (sgid might be better?)
mount command to check for s(uid|gid)
programs and either clear them or refuse to mount.