Date: Mon, 9 Jun 2003 16:40:15 -0700 (PDT) From: Jason Stone <freebsd-security@dfmm.org> To: <security@freebsd.org> Subject: Re: Removable media security in FreeBSD Message-ID: <20030609161342.Q14379-100000@walter> In-Reply-To: <200306092254.QAA10240@lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Allowing the user to use sudo would effectively be giving him/her root > privileges, which we explicitly don't want to do. You understand that sudo allows the user to only run a particular command with particular arguments as root, right? You also understand that you're asking, at a fundamental level, to allow the user to perform priveleged operations, right? > If the desktop manager can be set up to change ownerships, etc., upon > login, it would help. Yes, this can be done, and by default xdm/gdm/kdm all chown /dev/console to the user logging in. So a super-easy but somewhat inflexible solution would be to just modify the xdm/kdm startup scripts to chown /mnt/floppy to the user, set it 0700 and mount it at login time, and then umount and chown back to root at logout time. As for allowing the user to mount stuff on demand in the middle of a session, that will be more complicated. If I had to do it, I think I might have a setuid c program that checked to see if the invoking user owned the console and then ran the appropriate mount command. If you have one such program per mountable device, you wouldn't even have to check the commandline or environment. I haven't fully thought this through yet, so there might be some problem with it. rwatson, of course, points out the real security consideration - regardless of how you deal with the essentially quotidian details of letting users "safely" run a priveleged command, allowing users to mount filesystems at will is inherently dangerous, as there's an extent to which the kernel trusts the contents of the filesystem. By specially crafting the contents of the floppy, the user has the ability to directly insert potential malicious data into certain kernel data-structures. On more than one occasion, I've crashed freebsd 3.x and 4.x boxes by trying to work with corrupted msdos floppy images - clearly, the msdos fs implementation is not (or at least was not - I haven't looked at it recently) very careful, and it's not at all unreasonable to think that someone could exploit this. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD4DBQE+5RrgswXMWWtptckRAmPjAJdGxq674DPsZfxlk2QuLku3QjTUAJ9AJ0LU qoirX4LftzTdjP973kzGGA== =VshS -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030609161342.Q14379-100000>