Thor, Disable booting from floppy in BIOS, password protect LILO, install chassis intrusion detection system wired to gun turrets with 50mm heavy machine guns...
...okay, I think I'm going a little overboard here... ;) Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/CM>CC/IT d- s:+ a16 C++(++++)>$ UL++++>$ P---() L+++>+ E+>+ W+(-) N o? K? w--() !O M- !V PS+>+ PE- Y+ PGP t+ !5 X-- !R tv b DI D++ G>+++ e-- h! !r y ------END GEEK CODE BLOCK------ On Sat, 1 Jul 2000, Thor wrote: > Hi, > > > > I'm obviously doing something wrong ... > > > > I've written to the maintainer of the autofs package according to the > > page summary listed under 'packages' from the website, and as I also saw > > somewhere else (dpkg -s listing?). I filed a bug report against autofs > > and marked it as release critical. I have heard nothing for the past > > two (three?) days and need to make this known: > > > > There is a severe security problem for all debian machines running any > > version of autofs and having a floppy drive available as /dev/fd0. The > > options listed in /etc/auto.misc fail to include the options > > "nosuid,nodev" and as such anyone with a floppy disk and physical access > > to a floppy drive may become root on that machine. > > > > Here is the 'sploit: > > huh ? and you call this an xploit ? > > if you have physical access to the console and floppy drive you can always > start with a boot + root floppy, mount the hard disk and modify the > mounted /etc/passwd file ... this is an old trick, usefull when you > loose the root password ;-) > > --- > ;---+---; > bye | > bye |hor > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
