Hi,
> I'm obviously doing something wrong ... > > I've written to the maintainer of the autofs package according to the > page summary listed under 'packages' from the website, and as I also saw > somewhere else (dpkg -s listing?). I filed a bug report against autofs > and marked it as release critical. I have heard nothing for the past > two (three?) days and need to make this known: > > There is a severe security problem for all debian machines running any > version of autofs and having a floppy drive available as /dev/fd0. The > options listed in /etc/auto.misc fail to include the options > "nosuid,nodev" and as such anyone with a floppy disk and physical access > to a floppy drive may become root on that machine. > > Here is the 'sploit: huh ? and you call this an xploit ? if you have physical access to the console and floppy drive you can always start with a boot + root floppy, mount the hard disk and modify the mounted /etc/passwd file ... this is an old trick, usefull when you loose the root password ;-) --- ;---+---; bye | bye |hor
