[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#27050 (fdutils): A cause for security concern?

Hello Ben, Avery and Wichert!

On Wed, Jan 20, 1999 at 12:50:59AM +0100, Wichert Akkerman wrote:
> Previously Anthony Fok wrote:
> > As the Slink deep freeze and release are impending, I would like to ask your
> > advice: Should I follow the suggestion given by the bug reporter Thomas
> > Roessler?
> I think so. For people who want to mount floppies without being root
> you can also use a line in /etc/fstab like this:
> /dev/fd0     /floppy    auto      noauto,noexec,nodev,user       0  0

Yes, I already have something similar in my /etc/fstab.  The problem is
that fdmount is independent of mount.  It doesn't even touch

Unfortunately, the suggestion "chown root.floppy" and "chmod [12]754"
won't work either because fdmount.c has this check in it:

    if (geteuid()!=0)
        die("Must run with EUID=root");

I am a little bit tempted to comment that line out, but it's probably
there for a reason, and I am definitely not qualified to hack
fdmount.c, so for now I should probably add a /usr/sbin/fdutilsconfig
as Thomas has suggested.

> fdmount should probably be audited so we really know if it's secure. You
> could submit it to the security-auditing list
> (security-audit@ferret.lmh.ox.ac.uk).

Thanks for the info!  

> > If so, should I fix this bug before Slink is out?
> Yes. I would hate to discover a vulnerability and release an advisory
> days after we release slink..

Okay, I will try to do it soon then.  Hopefully I will have my school
assignments finished before the end of the weekend.  :-)

Thanks a lot for all your advice and suggestions!


Anthony Fok Tung-Ling                Civil and Environmental Engineering
foka@ualberta.ca, foka@debian.org    University of Alberta, Canada
anthony_fok@catholic.org             Keep smiling!  *^_^*
Come visit Our Lady of Victory Camp -- http://www.olvc.ddns.org/
                                    or http://www.ualberta.ca/~foka/OLVC/

Reply to: