Mounting floppies

Brandon S. Allbery allbery at ncoast.UUCP
Sun Dec 4 03:16:44 AEST 1988 

As quoted from <5682 at louie.udel.EDU> by law at udel.EDU (Jeff Law):
+---------------
| In article <8800002 at gistdev> flint at gistdev.UUCP writes:
| >I think it would be nice to have an option on mount that would basically say
| >"If the suid or guid bits are set on any files not owned by me, then clear the
| >bits and then mount the floppy."
| suid programs are not the only problem with allowing users to mount floppies,
| what is going to stop me from putting my floppy in the drive and saying
| mount /dev/floppy /etc
+---------------

I responded to the original posting by mail with a fairly secure approach.
I should note that such an approach limits the usefulness of the floppy
drive, however.

Start out by making the floppy ?rwx------ root.  (The ? is "c" or "b"; this
must be done to both raw and character devices, and MUST BE DONE TO ALL
FLOPPY DRIVES ON THE SYSTEM.)

A setuid program is then used to mount floppies.  It checks the floppy in
question for a magic number in the superblock (most superblocks have an
unused area where such a number could be hidden) which identifies the uid of
the owner -- which must be that of the person doing the mount -- and that
this is a special user-mountable floppy.  (Root must build and flag the
floppy because of the permissions.)  It then will only mount the floppy on
an empty directory in the user's directory hierarchy, whose path (at least
from below the home dir on down) contains no symlinks and which is owned by
the user doing the mount.  It also might be a good idea to refuse mounts by
people logged in on non-local terminals, although this isn't necessarily so.
(Back when ncoast was a TRS-80 Model 16 with a 15MB disk, my home directory
was the floppy drive....)

The minus of this scheme is that only root can use the floppy for non-mounted
disks (tar/cpio/whatever).  The plus is that a user can have his/her own set
of mountable disks, and not only can the user not break into the system, but
nobody else can "borrow" the disks and mount them to snoop around in them.

No doubt there are a few things I overlooked, but this is a pretty good
start and can probably be refined to remove any remaining security holes.

Note that under System V without symlinks, it's pretty secure already....

++Brandon
-- 
Brandon S. Allbery, comp.sources.misc moderator and one admin of ncoast PA UN*X
uunet!hal.cwru.edu!ncoast!allbery  <PREFERRED!>	    ncoast!allbery at hal.cwru.edu
allberyb at skybridge.sdi.cwru.edu	      <ALSO>		   allbery at uunet.uu.net
comp.sources.misc is moving off ncoast -- please do NOT send submissions direct
      Send comp.sources.misc submissions to comp-sources-misc@<backbone>.

More information about the Comp.unix.wizards mailing list