[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SECURITY PROBLEM: autofs [all versions]

hi christopher...

anytime someone has physical access to the machine...
you already have a security problem.... ( my definition )

i am not sure that you can get physical access as root
from the options shown in /etc/auto.misc.... but if oyu
are correct....wow...wonder how many people tried it...
and only now surfaces ???

I always disable those "system defined options" anyway...
and use my own  automated   servers:/directories

there was lots of discussion the past couple weeks of what
needs to be in /etc/auto.master and /etc/auto.misc
and automaps from NIS and which to read first and functions
supported or not...
	- newest supported feature is ldap in autofs

have fun
( sounds like time to update this thing soon -- past due )
- and nope....hpa is the maintainer/creator of autofs...
On Fri, 30 Jun 2000, Christopher W. Curtis wrote:

> I'm obviously doing something wrong ...
> I've written to the maintainer of the autofs package according to the
> page summary listed under 'packages' from the website, and as I also saw
> somewhere else (dpkg -s listing?).  I filed a bug report against autofs
> and marked it as release critical.  I have heard nothing for the past
> two (three?) days and need to make this known:
> There is a severe security problem for all debian machines running any
> version of autofs and having a floppy drive available as /dev/fd0.  The
> options listed in /etc/auto.misc fail to include the options
> "nosuid,nodev" and as such anyone with a floppy disk and physical access
> to a floppy drive may become root on that machine.
> Here is the 'sploit:
... deleted...

Reply to: