On Fri, Jun 30, 2000 at 09:56:45PM -0700, Alvin Oga wrote: > > hi christopher... > > anytime someone has physical access to the machine... > you already have a security problem.... ( my definition ) > many people run labs of compupters, in which they need as much physical security as possible. And dont say just reboot off of a floppy, cuz any decent lab will have the bios password protected, and boots directly from the HD without trying the floppy or CD. That was the problem discussed with MBR awhile back, that it gave the option of booting from something else anyways, but that, like this is considered something the admin should be informed of, but not done for them(i guess this might get done). > i am not sure that you can get physical access as root > from the options shown in /etc/auto.misc.... but if oyu > are correct....wow...wonder how many people tried it... > and only now surfaces ??? > > I always disable those "system defined options" anyway... > and use my own automated servers:/directories > > there was lots of discussion the past couple weeks of what > needs to be in /etc/auto.master and /etc/auto.misc > and automaps from NIS and which to read first and functions > supported or not... > - newest supported feature is ldap in autofs > > have fun > alvin > http://www.linux-consulting.com:/Amd_AutoFS/autofs-HOWTO.html > ( sounds like time to update this thing soon -- past due ) > - and nope....hpa is the maintainer/creator of autofs... > > On Fri, 30 Jun 2000, Christopher W. Curtis wrote: > > > I'm obviously doing something wrong ... > > > > I've written to the maintainer of the autofs package according to the > > page summary listed under 'packages' from the website, and as I also saw > > somewhere else (dpkg -s listing?). I filed a bug report against autofs > > and marked it as release critical. I have heard nothing for the past > > two (three?) days and need to make this known: > > > > There is a severe security problem for all debian machines running any > > version of autofs and having a floppy drive available as /dev/fd0. The > > options listed in /etc/auto.misc fail to include the options > > "nosuid,nodev" and as such anyone with a floppy disk and physical access > > to a floppy drive may become root on that machine. > > > > Here is the 'sploit: > > > ... deleted... > > > -- > To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > -- Erik Bernhardson journey@jps.net -- It is better to remain silent and be considered a fool, than to speak and remove all doubt. -- Abraham Lincoln
Attachment:
pgpP_3mGOIwUp.pgp
Description: PGP signature