Re: SECURITY PROBLEM: autofs [all versions]
hi christopher...
anytime someone has physical access to the machine...
you already have a security problem.... ( my definition )
i am not sure that you can get physical access as root
from the options shown in /etc/auto.misc.... but if oyu
are correct....wow...wonder how many people tried it...
and only now surfaces ???
I always disable those "system defined options" anyway...
and use my own automated servers:/directories
there was lots of discussion the past couple weeks of what
needs to be in /etc/auto.master and /etc/auto.misc
and automaps from NIS and which to read first and functions
supported or not...
- newest supported feature is ldap in autofs
have fun
alvin
http://www.linux-consulting.com:/Amd_AutoFS/autofs-HOWTO.html
( sounds like time to update this thing soon -- past due )
- and nope....hpa is the maintainer/creator of autofs...
On Fri, 30 Jun 2000, Christopher W. Curtis wrote:
> I'm obviously doing something wrong ...
>
> I've written to the maintainer of the autofs package according to the
> page summary listed under 'packages' from the website, and as I also saw
> somewhere else (dpkg -s listing?). I filed a bug report against autofs
> and marked it as release critical. I have heard nothing for the past
> two (three?) days and need to make this known:
>
> There is a severe security problem for all debian machines running any
> version of autofs and having a floppy drive available as /dev/fd0. The
> options listed in /etc/auto.misc fail to include the options
> "nosuid,nodev" and as such anyone with a floppy disk and physical access
> to a floppy drive may become root on that machine.
>
> Here is the 'sploit:
>
... deleted...
Reply to: