Re: Bug#27050 (fdutils): A cause for security concern?
Hello Ben, Avery and Wichert!
On Wed, Jan 20, 1999 at 12:50:59AM +0100, Wichert Akkerman wrote:
> Previously Anthony Fok wrote:
> > As the Slink deep freeze and release are impending, I would like to ask your
> > advice: Should I follow the suggestion given by the bug reporter Thomas
> > Roessler?
> I think so. For people who want to mount floppies without being root
> you can also use a line in /etc/fstab like this:
> /dev/fd0 /floppy auto noauto,noexec,nodev,user 0 0
Yes, I already have something similar in my /etc/fstab. The problem is
that fdmount is independent of mount. It doesn't even touch
Unfortunately, the suggestion "chown root.floppy" and "chmod 754"
won't work either because fdmount.c has this check in it:
die("Must run with EUID=root");
I am a little bit tempted to comment that line out, but it's probably
there for a reason, and I am definitely not qualified to hack
fdmount.c, so for now I should probably add a /usr/sbin/fdutilsconfig
as Thomas has suggested.
> fdmount should probably be audited so we really know if it's secure. You
> could submit it to the security-auditing list
Thanks for the info!
> > If so, should I fix this bug before Slink is out?
> Yes. I would hate to discover a vulnerability and release an advisory
> days after we release slink..
Okay, I will try to do it soon then. Hopefully I will have my school
assignments finished before the end of the weekend. :-)
Thanks a lot for all your advice and suggestions!
Anthony Fok Tung-Ling Civil and Environmental Engineering
email@example.com, firstname.lastname@example.org University of Alberta, Canada
email@example.com Keep smiling! *^_^*
Come visit Our Lady of Victory Camp -- http://www.olvc.ddns.org/