On Fri, Jan 20, 2006 at 03:59:23PM +0000, Kurt Pfeifle wrote: > Wouter Verhelst wrote on debian-devel@lists.debian.org: > > [Re-adding Cc to Kurt, as he's mentioned he isn't subscribed] > > > > On Fri, Jan 20, 2006 at 01:20:26PM +0800, Cameron Patrick wrote: > > > Kurt Pfeifle wrote: > > > > The klik client installation needs root privileges once, to add 7 lines > > > > like this one to /etc/fstab: > > > > > > > > /tmp/app/1/image /tmp/app/1 cramfs,iso9660 user,noauto,ro,loop,exec 0 > > > > 0 > > > > > > Doesn't this introduce a local root exploit? A user can easily write > > > their own /tmp/app/1/image file which contains, say, a setuid root bash > > > executable. > > > > Yes, that's exactly what I was afraid of, myself. > > Please try "man mount". If your manpage is similar to mine, it will > contain something like: > > ---------------------------- snip ---------------------------------- > OPTIONS > user Allow an ordinary user to mount the file system. The name > of the mounting user is written to mtab so that he can un- > mount the file system again. This option implies the op- > tions noexec, nosuid, and nodev (unless overridden by sub- > sequent options, as in the option line user,exec,dev,suid). > ---------------------------- snap ---------------------------------- > > Note the part mentioning "nosuid" - and compare it to the fstab line > used by klik. :-)
You might want to read your manpage a bit more: nosuid Do not allow set-user-identifier or set-group-identifier bits to take effect. (This seems safe, but is in fact rather unsafe if you have suidperl(1) installed.) Particularly note the parenthetical sentence. On another point, I believe you said earlier that the admin is required to add 7 of those lines to fstab before klik could be used. Does that mean that no more than 7 applications can be installed, or that no more than 7 users can use klik on the one machine? Either way, it seems quite artificially limiting. If I have an 8th user who wants to use klik, what do I do? - Matt