Re: SECURITY PROBLEM: autofs [all versions]

["Christopher W. Curtis" <ccurtis@aet-usa.com>]

Nathan Paul Simons wrote:

>         On top of that, we have our Linux-only machines set up so
> that ctl-alt-del spits up a message saying "This is a Linux-only
> machine", and the power and reset buttons are disabled, as well
> as the magic sys request keys.

I thought about unplugging the reset button and power switches, but it's
tough to hit them accidentally and if someone wanted the system down,
they'd pull the plug out of the back.  I like having the ability to
reset because I think it's easier on mechanical devices.

Is the reason for disabling SysRq sinply the same (ability to reboot,
etc) or do you think there could be an exploitable condition with the
information given?

>         Oh yeah, we also don't use autofs for user mountable
> or removable media.

This is obviously a good idea given the SEVERE BUG (why do people argue
over things like local users being able to trivially get root being
severe?) present, in both the manpage (which recommends the auto.misc
debian uses) and the defaults.  Why did you chose to do this initially?

Chris