AW: Bug#4902: Major security hole in xvmount

To: "'meskes@Informatik.RWTH-Aachen.DE'" <meskes@Informatik.RWTH-Aachen.DE>, "'4902@bugs.debian.org'" <4902@bugs.debian.org>, "'debian-devel@lists.debian.org'" <debian-devel@lists.debian.org>, "'bruce@pixar.com'" <bruce@pixar.com>, "'Volker Ossenkopf'" <ossk@zeus.ph1.Uni-Koeln.DE>
Subject: AW: Bug#4902: Major security hole in xvmount
From: Michael Meskes <meskes@topsystem.de>
Date: Mon, 3 Mar 1997 13:36:23 +0100
Message-id: <[🔎] c=DE%a=_%p=topsystem%l=EINSTEIN-970303123623Z-131@einstein.topsystem.de>

>I do not see any reason to panic. xvmount itself is
>not more or less safe than any user mount. It bears 
>exactly the same risks. One simply has to take exactly 
>the same care when configuring the /etc/xvmounttab as 
>when editing the /etc/fstab. If you configure your
>/etc/fstab to enable SUID and DEV on an user mount
>point exactly the same can happen.

Absolutely true. But no other user mount is installed with these options
enabled by default!

>Nevertheless, you are certainly right that I should have
>added a warning notice that one HAS TO take this care
>when editing the /etc/xvmounttab. Moreover, the choice
>of the defaults by the author was not optimal. I have 
>changed this now to be exactly equivalent to the 
>presets for a noraml user mount. However, I do not see
>any reason to generally disable SUID or DEV. It should
>stay the decision of the sysop what is to be enabled
>or not. Since the single user has no possibility to 
>influence the mount point or the mount options this
>is no general security hole.
>
>I hope you can agree. Then I will release the 
>corrected version.

I do. Just make sure that root has to do something to enable these
dangerous mounts.

Michael

Reply to:

Prev by Date: Re: Erk! Something is *really* wrong here!
Next by Date: subscribe
Previous by thread: RE: Bug#4902: Major security hole in xvmount
Next by thread: AW: Bug#4902: Major security hole in xvmount
Index(es):
- Date
- Thread