Mounting floppies

Gordon Burditt gordon at sneaky.TANDY.COM
Tue Nov 29 16:08:13 AEST 1988 

>>I think it would be nice to have an option on mount that would basically say
>>"If the suid or guid bits are set on any files not owned by me, then clear the
>>bits and then mount the floppy."
>suid programs are not the only problem with allowing users to mount floppies,
>what is going to stop me from putting my floppy in the drive and saying
>mount /dev/floppy /etc
>
>now i have mounted a floppy as /etc...  what happens if i have a passwd file

A long time ago I wrote a program that allowed users to mount floppies
"safely".  It ran setuid and checked the device against an allowable list
of devices that were mountable by users.  It permitted a given device to
be mounted in *EXACTLY ONE* place, which existed only for that purpose.
It checked that the directory being mounted on was empty.  It scanned the
floppy for set-uid programs.  (It was my preference to disallow mounting
rather than reset setuid bits.  I didn't like the idea of supposedly
"clean" copies of master distribution disks getting contaminated.)
It also insisted that every sector of the floppy was readable.
It shut off access to the raw and buffered devices when the floppy was 
mounted.  It knew all the names that referred to the same drive.
It poked around in the kernel to check that someone didn't already have
the device open before access was shut off.  There were hooks in the program 
for an authorized users list for each device.  Under consideration was
embedding a more thorough version of fsck into the program, and provision
to allocate exclusive access to a particular user BEFORE the user had to
insert the floppy.

It didn't work.  It was trivial to defeat, by a method similar to this:

1.  Insert "clean" floppy in drive.
2.  Mount it on /mnt0, using so-called "safe mount" described above.
3.  Read War & Peace while it checked the floppy.
4.  Remove "clean" floppy from drive (without dismounting).
5.  Insert floppy containing setuid shell, preferably somewhere besides
    the top-level directory.
6.  Cause plenty of hard disk activity to flush out the cache with
    a command like "du /usr".
7.  Invoke setuid shell.
8.  Wreak havoc.

What the command needs, but didn't have, is a provision to either have the
driver refuse to do any I/O after the floppy is swapped while the drive is
open until it is closed (well, the driver actually did this, provided the
drive detected the change.  The new, improved drives didn't unless there
was I/O in progress on that drive at the time), or make the drive not let go
of the floppy while the drive is open without risk of electrocution of the 
person attempting removal.

					Gordon L. Burditt
					...!texbell!sneaky!gordon

P.S. Even this wouldn't prevent the alternate attack:
1.	Obtain several cans of Classic Coke (tm).
2.	Telephone sysadmin or get his attention by yelling.
3.	Hold open cans of Coke (tm), or one can of Coke (tm) and one
	HandGun (tm) over CPU and threaten to pour Coke (tm) onto
	the circuit board unless the sysadmin tells you the root password.
* Classic Coke (tm) is a trademark (tm) of someone, darn it.

More information about the Comp.unix.wizards mailing list