[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Black-hat guy mounting (a cdrom)

To: Chuck Yerkes <chuck@snew.com>
Subject: Re: Black-hat guy mounting (a cdrom)
From: Peter Hessler <yodadoa@yahoo.com>
Date: Mon, 16 Apr 2001 11:29:14 -0700 (PDT)
Cc: misc@openbsd.org

Oops....I forgot to mention, they should look at other security stuff. 
Giving someone you don't trust with root the ability to unmount stuff
is dangerous.  he may want to do something like

luser            ALL = umount /dev/cd0c
or 
luser            ALL = umount /mnt

or something to that effect.

As with big security issues (sudo is a rather huge one IMO), read the
man page like 2-3 times, and play with options, not just try to make it
work, try to break it. (with the above example, try to unmount
/dev/wd1a or unmount /usr (or different mount point) (don't try to
unmount /dev/wd0a (or your root drive, that's bad, (duh))

YMMV, void where prohibited, offer valid in 49 states, etc (excuse my
extensive use of parenthesis)

--- Chuck Yerkes <chuck@snew.com> wrote:
> Better is to write a script that WRAPS this, so that user cannot
> mount/unmount ANYTHING and that you force the mount to be "nosuid,
> nodev" (man 8 mount).  Not that I don't trust people I won't
> give root access to.  Even if you do, breaking in as a user
> and being able to umount things is pretty dangerous
> 
> Quoting Peter Hessler (yodadoa@yahoo.com):
<snip>

=====
Peter Hessler
<yodadoa@yahoo.com>

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/

References:
- Re: Black-hat guy mounting (a cdrom)
  - From: Chuck Yerkes <chuck@snew.com>

Prev by Date: Re: (TOTAL OT) console CD player
Next by Date: /etc/skel
Prev by thread: Re: Black-hat guy mounting (a cdrom)
Next by thread: kvm_mkdb, w, top...
Index(es):
- Date
- Thread