Re: Removable media security in FreeBSD

From: Jason Stone (
Date: 06/10/03

  • Next message: Zvezdan Petkovic: "Re: Removable media security in FreeBSD"
    Date: Mon, 9 Jun 2003 16:40:15 -0700 (PDT)
    To: <>

    Hash: SHA1

    > Allowing the user to use sudo would effectively be giving him/her root
    > privileges, which we explicitly don't want to do.

    You understand that sudo allows the user to only run a particular command
    with particular arguments as root, right? You also understand that you're
    asking, at a fundamental level, to allow the user to perform priveleged
    operations, right?

    > If the desktop manager can be set up to change ownerships, etc., upon
    > login, it would help.

    Yes, this can be done, and by default xdm/gdm/kdm all chown /dev/console
    to the user logging in. So a super-easy but somewhat inflexible solution
    would be to just modify the xdm/kdm startup scripts to chown /mnt/floppy
    to the user, set it 0700 and mount it at login time, and then umount and
    chown back to root at logout time.

    As for allowing the user to mount stuff on demand in the middle of a
    session, that will be more complicated. If I had to do it, I think I
    might have a setuid c program that checked to see if the invoking user
    owned the console and then ran the appropriate mount command. If you have
    one such program per mountable device, you wouldn't even have to check the
    commandline or environment. I haven't fully thought this through yet, so
    there might be some problem with it.

    rwatson, of course, points out the real security consideration -
    regardless of how you deal with the essentially quotidian details of
    letting users "safely" run a priveleged command, allowing users to mount
    filesystems at will is inherently dangerous, as there's an extent to which
    the kernel trusts the contents of the filesystem. By specially crafting
    the contents of the floppy, the user has the ability to directly insert
    potential malicious data into certain kernel data-structures.

    On more than one occasion, I've crashed freebsd 3.x and 4.x boxes by
    trying to work with corrupted msdos floppy images - clearly, the msdos fs
    implementation is not (or at least was not - I haven't looked at it
    recently) very careful, and it's not at all unreasonable to think that
    someone could exploit this.


     Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
     that he was insufficiently fondled when he was an infant.
            -- Ashley Montagu

    Version: GnuPG v1.2.1 (FreeBSD)
    Comment: See

    -----END PGP SIGNATURE-----

    _______________________________________________ mailing list
    To unsubscribe, send any mail to ""

  • Next message: Zvezdan Petkovic: "Re: Removable media security in FreeBSD"