Removable media security in FreeBSD

Jason Stone freebsd-security at dfmm.org
Mon Jun 9 16:40:17 PDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> Allowing the user to use sudo would effectively be giving him/her root
> privileges, which we explicitly don't want to do.

You understand that sudo allows the user to only run a particular command
with particular arguments as root, right?  You also understand that you're
asking, at a fundamental level, to allow the user to perform priveleged
operations, right?


> If the desktop manager can be set up to change ownerships, etc., upon
> login, it would help.

Yes, this can be done, and by default xdm/gdm/kdm all chown /dev/console
to the user logging in.  So a super-easy but somewhat inflexible solution
would be to just modify the xdm/kdm startup scripts to chown /mnt/floppy
to the user, set it 0700 and mount it at login time, and then umount and
chown back to root at logout time.

As for allowing the user to mount stuff on demand in the middle of a
session, that will be more complicated.  If I had to do it, I think I
might have a setuid c program that checked to see if the invoking user
owned the console and then ran the appropriate mount command.  If you have
one such program per mountable device, you wouldn't even have to check the
commandline or environment.  I haven't fully thought this through yet, so
there might be some problem with it.


rwatson, of course, points out the real security consideration -
regardless of how you deal with the essentially quotidian details of
letting users "safely" run a priveleged command, allowing users to mount
filesystems at will is inherently dangerous, as there's an extent to which
the kernel trusts the contents of the filesystem.  By specially crafting
the contents of the floppy, the user has the ability to directly insert
potential malicious data into certain kernel data-structures.

On more than one occasion, I've crashed freebsd 3.x and 4.x boxes by
trying to work with corrupted msdos floppy images - clearly, the msdos fs
implementation is not (or at least was not - I haven't looked at it
recently) very careful, and it's not at all unreasonable to think that
someone could exploit this.


 -Jason

 --------------------------------------------------------------------------
 Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
 that he was insufficiently fondled when he was an infant.
	-- Ashley Montagu

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD4DBQE+5RrgswXMWWtptckRAmPjAJdGxq674DPsZfxlk2QuLku3QjTUAJ9AJ0LU
qoirX4LftzTdjP973kzGGA==
=VshS
-----END PGP SIGNATURE-----



More information about the freebsd-security mailing list