Andrew Farmer wrote:
On Sun, 09 Nov 2003 06:29:35 -0800, Norbert Kamenicky muttered:
- snip -
Well, the problem is that you can only mount an image as a user if the
image and mountpoint are specified in the fstab. I still don't know why
mount (or the kernel or something) can't start allowing mounts of a file
readable by a user over a directory the user owns...
:-) :-) :-) ... security reason !
If you like to allow your users to mount just anything, (doesn't matter in which dir) it's the same, like give them root password ... never heard about Trojan horse ? :-)
PS. it's typical question of people who use windblowz (where security issues were made by diletants, if at all), but know nothing about unix security ...
hmmm.. could you give an example?
let's imagine that i allow all the wheel users to mount loopback-files (iso images).
how could that be a security risk?
thanks, gabor
at first just read again, the question and what I wrote ... to prevent misunderstanding.
ready ? so, go on !
User is running commands under it's (effective) id. Correct ? Password is stored in /etc/shadow, (which has not rw permissions for users ... try cat /etc/shadow).
Now, I have a question to you: How is it possible, users can change their password ?
The right answer is: Due to set uid/gid mechanism. ( run ls -l /bin/passwd)
So, is it a problem on your linux (where you are root) to copy some program (e.g. /bin/cat, but the best your own statically linked prog to new directory, and set uid flag on it? No ! (man chmod, if yes)
Now just make an iso image with Rock Ridge extension from that directory and copy (man scp) it to the system you like to crack ...
If you can "mount just anything" (without restrictions, which are setable in /etc/fstab), mount it and ride your Trojan horse like this:
path_to_your_mount_dir/cat /etc/shadow
Is it clear now ? If not, try it ... but on your own risk, I am not responsible for any damage!
noro
-- [EMAIL PROTECTED] mailing list
