Date: Mon, 9 Jun 2003 15:39:31 +0200 From: zk <zk@wspim.edu.pl> To: security@freebsd.org Cc: Robert Watson <rwatson@freebsd.org> Subject: Re: Removable media security in FreeBSD Message-ID: <20030609133931.GA471@hhos.serious.ld> In-Reply-To: <Pine.NEB.3.96L.1030608115332.67632D-100000@fledge.watson.org> References: <20030608080429.GA234@hhos.serious.ld> <Pine.NEB.3.96L.1030608115332.67632D-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jun 08, 2003 at 11:57:04AM -0400, Robert Watson wrote: > > If the definition of the policy really means "any user who can log in at > the console", I'd change the chown/chmod bits to a pointer to fbtab, and > use vfs.usermount. > The problem with fbtab: i want to give mount permission to some console user and not to the other. And what about xdm. Is there any solution besides changing scripts in /usr/X11R6/lib/X11/xdm. > On the "SECURE" front -- well, it depends a bit on how robust our file > system support is. Bad UFS file systems can cause the FreeBSD kernel to > behave improperly, since it's assumed that file systems will be clean or > explicitly checked before mounting. I've never really experimented much > with our FAT file system support to see how robust it is; we have a > 5.2-RELEASE TODO list item to merge some robustness improvements from the > Darwin implementation back into FreeBSD, which suggests our implementation > could be improved on :-). I believe our usermount support carefully sets > nodev, nosuid, etc, on any file systems mounted by root, but haven't > tested that in a bit. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030609133931.GA471>