From owner-freebsd-security@FreeBSD.ORG  Sun Jun  8 08:58:26 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 693E537B401
	for <security@freebsd.org>; Sun,  8 Jun 2003 08:58:26 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0A5BA43F3F
	for <security@freebsd.org>; Sun,  8 Jun 2003 08:58:25 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h58Fv4On088794;
	Sun, 8 Jun 2003 11:57:05 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)h58Fv41R088791;
	Sun, 8 Jun 2003 11:57:04 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Sun, 8 Jun 2003 11:57:04 -0400 (EDT)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: zk <zk@wspim.edu.pl>
In-Reply-To: <20030608080429.GA234@hhos.serious.ld>
Message-ID: <Pine.NEB.3.96L.1030608115332.67632D-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Mailman-Approved-At: Mon, 09 Jun 2003 05:16:02 -0700
cc: security@freebsd.org
Subject: Re: Removable media security in FreeBSD
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jun 2003 15:58:26 -0000

On Sun, 8 Jun 2003, zk wrote:

> On Sun, Jun 08, 2003 at 01:28:50AM -0600, Brett Glass wrote:
> > since this would allow anyone to write someone else's removable media. Is
> > there a standard, SECURE way of allowing an unprivileged user at the console
> > to get at removable media that s/he has inserted in the machine?
> 
> Create group floppy, chown 0:floopy /dev/floppy*, chmod g+rw /dev/fd0*
> and add user to group floppy.  And vfs.usermount=1

If the definition of the policy really means "any user who can log in at
the console", I'd change the chown/chmod bits to a pointer to fbtab, and
use vfs.usermount.

On the "SECURE" front -- well, it depends a bit on how robust our file
system support is.  Bad UFS file systems can cause the FreeBSD kernel to
behave improperly, since it's assumed that file systems will be clean or
explicitly checked before mounting.  I've never really experimented much
with our FAT file system support to see how robust it is; we have a
5.2-RELEASE TODO list item to merge some robustness improvements from the
Darwin implementation back into FreeBSD, which suggests our implementation
could be improved on :-).  I believe our usermount support carefully sets
nodev, nosuid, etc, on any file systems mounted by root, but haven't
tested that in a bit. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories