[mdlug] /etc/sudoers -A rant and an attempt at better documentation
Daniel Hedlund
daniel at digitree.org
Sun Jan 7 09:41:36 EST 2007
Ray,
Raymond McLaughlin wrote:
> # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
The above is not your fault at all because it's part of the default
config that also appears in my sudoers, but just a word of warning. I'm
pretty sure that the above command has some potential security problems
(I'll relay this on to their dev team). The above command should
probably read, at a minimum:
%users ALL=/sbin/mount -t iso9660 /cdrom,/sbin/umount /cdrom
CDs that are inserted into a computer don't have to follow the ISO-9660
format,can also be created by burning a variety of different file
formats onto the beginning of the disc, UDF being another good example.
The disc is read like any other type of floppy/hard/usb disk, just
that it's read-only. Imagine the implications if someone burned an ext2
filesystem onto the start of a CD that had binaries with the owner root
but also had the SUID flags set on some of those files. i haven't
tested this myself, but it seems plausible.
Cheers,
Daniel Hedlund
daniel at digitree.org
More information about the mdlug
mailing list