[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SECURITY PROBLEM: autofs [all versions]

Adam Heath wrote:
> On Mon, 3 Jul 2000, Christopher W. Curtis wrote:
> > > System as shipped boots from floppy.
> > > System as shipped does not have password.
> >
> > So your answer is that basic security is not important enough to give
> > users out of the box?  Is there a 'hardening debian' guide somewhere
> > that says, "By default, all Debian installations are subject to the
> > following root compromises - you can fix each of these by doing a) b)
> > c).  While we have the ability to fix these for you before shipping you
> > an insecure OS, it's simply too much trouble to change one line in one
> > file when security is the concern of the person who installs the system,
> > and not the concern of the people releasing the system."
> No, my answer is to make is usable for the majority of users, without removing
> functionality.

And the majority of users need to have SUID executables on their

How come /etc/fstab disallows it then?  Are only users of autofs getting
full functionality from their floppies?

> > Or is it simply a matter of, "Well, to make it hard to beak in, they
> > have to do a) and b) anyways, so while they're at it, they can just go
> > ahead and do f) - l) as well".
> When securing a machine, you have to cover ALL bases.  NEVER assume that the
> defaults are secure.  If you want a truly secure machine, you need to audit
> every single piece of software, and its config files.

And you do that, and you find this problem.  And you say, gee, here's a
simple solution to a trivial problem.  Let me let people upstream know
about the problem so that maybe in the future we don't have to manually
edit our 128 node cluster for a trivial fix that affects virtually noone
in any negative way.  And they tell you that you need to audit the


> > I thought Debian was all about high-quality releases - if you want to
> > take a microsoft style approach to security, why bother waiting for the
> > software to stablize either?
> It is too late in potato's cycle for this to be addressed.  If you read the
> very first email I sent in this thread, you would have seen that I had no
> problem adding those options.  I just won't be doing it for Debian 2.2.  Most
> likely it will be 2.2r1.

I appreciate that you find this important enough to change.  I just get
tired of the p!ssing contests.  Someone says here's a problem that's
trivial to fix, shows how to do it, and some joe starts spouting about
how stupid or unneeded it is, or that anyone doing X is going to do this
anyway, or some other load.

I did a "chmod -x /sbin/portmap" and the init script barfed.  I saw that
it was testing '-f' instead of '-x'.  I suggested this change and
someone actually told me that this was correct behavior because it
*should* fail if it was -f and not not -x.  I consider that complete
garbage because if it was supposed to fail, what was the purpose of
checking at all?  Why not just do a "-z /dev/zero" because if it's not
there, it should fail anyway, right?

I think that there is a chasm between what Debian claims, and what the
individual developers claim, and that this is simply wrong.  If nothing
else, people should stop and think about what they post before doing so,
and admitting when they're wrong and learn from it.  These things are
not differences of opinions, which surely exist - these are very real
problems with very real solutions, and should not try to be swept under
the rug with a bunch of asinine excuses.


Reply to: