* a small security problem
@ Tyler Littlefield
` Joseph C. Lininger
0 siblings, 1 reply; 2+ messages in thread
From: Tyler Littlefield @ UTC (permalink / raw)
To: Speakup is a screen review system for Linux.
Hay list,
I have a problem, I just ran bastille, and it made mount accessible to everyone--not just root. Is there a way to change this?
Thanks,
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: a small security problem
a small security problem Tyler Littlefield
@ ` Joseph C. Lininger
0 siblings, 0 replies; 2+ messages in thread
From: Joseph C. Lininger @ UTC (permalink / raw)
To: Tyler Littlefield, Speakup is a screen review system for Linux.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
What it most likely did was to clear the suid bit on mount. If it
didn't, and you don't need anyone other than root to be able to mount
filesystems, then I recommend setting the permissions like this:
chmod 755 /bin/mount
Or where ever your mount is. If you absolutely need to ensure only root
can run mount, then try this:
chown root /bin/mount
chmod 700 /bin/mount
However, be advised that reinstalling the package containing mount on
your system will probably reset these permissions. I recommend the 755
set in any case, simply because I have never evaluated the effect of
setting 700, and don't know if things will break. But definitely do
clear suid and sgid bits on that binary if you don't need them so that
mount doesn't automatically run as root when it does run.
While we're on the subject, Bastille makes a good tool for obtaining
hardening "suggestions", but you should not treat it's suggestions as
any more than that. It doesn't catch all security concerns, and it is
definitely not always a good idea to do what it suggests. Make sure you
understand what the options do before you execute them. Don't just
blindly make changes because some tool suggests you should. I think you
probably know this if you are asking about the permissions on the mount
binary, but this is more a general note for everyone.
- --
It's not one damn thing after another, it's the same damn thing over and
over. (History repeats itself)
Joseph C. Lininger
Oh alright, here's the *actual* signature...
And so it came to pass that on Sun, 4 Jun 2006, Tyler Littlefield said
> Hay list,
> I have a problem, I just ran bastille, and it made mount accessible to
everyone--not just root. Is there a way to change this?
> Thanks,
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFEg2JMJ6dqn0mqPbARAuD4AJ9Y995CKL4DO0gHEJrq0aBAyPekPACg8DKP
0O2bfFhS4JYVCVNGy7tGVpg=
=+P+t
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~ UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
a small security problem Tyler Littlefield
` Joseph C. Lininger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).