Subject: Re: NetBSD Security Advisory 2000-001
To: Chris G. Demetriou <cgd@netbsd.org>
From: Soren S. Jorvang <soren@wheel.dk>
List: tech-security
Date: 02/16/2000 03:13:07
by redmail.netbsd.org with SMTP; 16 Feb 2000 02:13:10 -0000
by gnyf.wheel.dk (8.9.1/8.9.1) id DAA20566;
Wed, 16 Feb 2000 03:13:07 +0100 (CET)
Date: Wed, 16 Feb 2000 03:13:07 +0100
From: "Soren S. Jorvang" <soren@wheel.dk>
To: "Chris G. Demetriou" <cgd@netbsd.org>
Cc: tech-security@netbsd.org
Subject: Re: NetBSD Security Advisory 2000-001
Message-ID: <20000216031307.A20476@gnyf.wheel.dk>
References: <14505.23693.773699.404104@passion.geek.com.au> <x6zot2w3h2.fsf@reddwarf.rightnowtech.com> <20000215230900.A6739@antioche.lip6.fr> <x6itzqw0di.fsf@reddwarf.rightnowtech.com> <20000215235049.A6841@antioche.lip6.fr> <20000215235639.B18825@gnyf.wheel.dk> <87g0utgb84.fsf@redmail.netbsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <87g0utgb84.fsf@redmail.netbsd.org>; from cgd@netbsd.org on Tue, Feb 15, 2000 at 05:58:03PM -0800
On Tue, Feb 15, 2000 at 05:58:03PM -0800, Chris G. Demetriou wrote:
> "Soren S. Jorvang" <soren@wheel.dk> writes:
> > > Well, I don't feel really confortable with this ... I'd prefer to have it
> > > restricted to root.
> >
> > Very much seconded. No matter how hard we try, it will continue to
> > be a tricky issue.
>
> If it is, and is going to continue to be a security risk, then why do
> we ship it in default kernels at all?
I don't mean to say procfs or any of the other filesystems will
continue to be security risks (though they may well be), but that
allowing user mounts in general opens up lots and lots of
possibilities for holes that just wouldn't be threats without user
mounts, and while it may be possible to fix all filesystems, VFS
and the associated tools, even just identifying all the risks is
going to be hard.
Somewhat like 1777 /tmp, user mounts break a number of assumptions
and while some of those assumptions may even be unreasonable, it's
best to err on the side of caution. We are pretty much stuck with
1777 /tmp and people are very slowly fixing security in /tmp-using
programs. It seems to me that the similar potential issues for user
mounts were not fully considered when the feature was added and
since not many people are using it anyway, and amd works nicely for
the common application of mounting local removable media, it seems
wise to disable it with a sysctl by default, at least for now.
--
Soren