a small security problem

Joseph C. Lininger jbahm at pcdesk.net
Sun Jun 4 18:44:24 EDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What it most likely did was to clear the suid bit on mount. If it
didn't, and you don't need anyone other than root to be able to mount
filesystems, then I recommend setting the permissions like this:

chmod 755 /bin/mount

Or where ever your mount is. If you absolutely need to ensure only root
can run mount, then try this:

chown root /bin/mount
chmod 700 /bin/mount

However, be advised that reinstalling the package containing mount on
your system will probably reset these permissions. I recommend the 755
set in any case, simply because I have never evaluated the effect of
setting 700, and don't know if things will break. But definitely do
clear suid and sgid bits on that binary if you don't need them so that
mount doesn't automatically run as root when it does run.

While we're on the subject, Bastille makes a good tool for obtaining
hardening "suggestions", but you should not treat it's suggestions as
any more than that. It doesn't catch all security concerns, and it is
definitely not always a good idea to do what it suggests. Make sure you
understand what the options do before you execute them. Don't just
blindly make changes because some tool suggests you should. I think you
probably know this if you are asking about the permissions on the mount
binary, but this is more a general note for everyone.

- --
It's not one damn thing after another, it's the same damn thing over and
over. (History repeats itself)
Joseph C. Lininger
Oh alright, here's the *actual* signature...

And so it came to pass that on Sun, 4 Jun 2006, Tyler Littlefield said

> Hay list,
> I have a problem, I just ran bastille, and it made mount accessible to
everyone--not just root. Is there a way to change this?
> Thanks,
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFEg2JMJ6dqn0mqPbARAuD4AJ9Y995CKL4DO0gHEJrq0aBAyPekPACg8DKP
0O2bfFhS4JYVCVNGy7tGVpg=
=+P+t
-----END PGP SIGNATURE-----

More information about the Speakup mailing list