Update mount - Probleme mit Rechten von vfat-Partition
Hallo! Nach dem Einspielen des Patches util-linux-9919 habe ich Probleme mit dem Mounten von vfat-Partitionen. Dieser Patch beseitigt tatsächlich eine Sicherheitslücke von mount: | Sicherheitsupdate für mount und umount. Beide Programme haben ihre umask | nicht gesetzt und so konnten lokale Angreifer in die mtab Datei | beliebige Daten schreiben, da diese mit den falschen Berechtigungen | angelegt wurde. Die umask ist jetzt anscheinend 033 (wenn ich sie mit dem Parameter umask in der fstab nicht anders setze). Das dumme ist: Auch alle Verzeichnisse bekommen diese Umask, verbieten also nichtpriviligierten Nutzern den Lesezugriff auf die Dateien darin. Wenn ich die Umask nun auf 022 (oder 023) setze, um allen Nutzern (bzw. bestimmten Nutzern) das Lesen der Dateien zu ermöglichen, dann bekommen alle Dateien das x-Bit gesetzt, was ich eigentlich eher vermeiden wollte. Kann man daran etwas ändern? Die Optionen noexec und ro in der fstab haben jetzt bei vfat anscheinend überhaupt keine Wirkung mehr (früher einmal konnte man mit noexec gewöhnlichen Dateien das x-Bit nehmen, während Verzeichnisse es behielten). Ciao, Hatto
On Wed, Nov 13, 2002 at 10:13:02AM +0100, Hatto von Hatzfeld wrote:
Hallo!
Oh, sorry. I forgot that this is an English mailing list. So I try to write an English version of my question: Hello! :-) After applying the patch util-linux-9919 to my SuSE 7.3 I have got problems mounting vfat partitions. The patch actually corrects a related bug: | Security update: The mount and umount program did not set their umask | properly. Local attackers could exploit this flaw to write arbitrary | content into the mtab file because upon creation this file was world | writeable. Now the umask seems to be 033 (unless I define a different value in the file /etc/fstab). Unfortunately this umask is applied to directories, too. So unprivileged users are unable to read any file on the mounted volume. Setting the umask to 023 I can enable some users to read these files; but now all files get the x-bit as well, a thing I'd like to avoid. I remember that in former times (at least in SuSE 6.2) using the option noexec in /etc/fstab I could make all directories on a vfat partition readable, while ordinary files did not get the x-bit. Now neiter noexec nor ro seem to have any effect on vfat partitions. What to do about that? Thanks and bye, Hatto von Hatzfeld
Hi, There seem to be two problems here.
Now the umask seems to be 033 (unless I define a different value in the file /etc/fstab). Unfortunately this umask is applied to directories, too. So unprivileged users are unable to read any file on the mounted volume.
I think it's a good idea to set a umask option in fstab anyway, but I agree that the documented default behavior should have been retained.
Setting the umask to 023 I can enable some users to read these files; but now all files get the x-bit as well, a thing I'd like to avoid.
Now that's a different issue, most likely has nothing to do with the update. If it sets the x bit on regular files now, then it probably did so before the update, too. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
On Wed, Nov 13, 2002 at 04:31:03PM +0100, Olaf Kirch wrote: [about umask in fstab]
Setting the umask to 023 I can enable some users to read these files; but now all files get the x-bit as well, a thing I'd like to avoid.
Now that's a different issue, most likely has nothing to do with the update. If it sets the x bit on regular files now, then it probably did so before the update, too.
I think you are right, and this update made me notice something which happened with my upgrade from SuSE 6.2 to 7.3. I am sure, that in SuSE 6.2 the option noexec worked with vfat; now it has no effect any more. Is there something I can do about that? Thanks and bye, Hatto v. Hatzfeld
participants (2)
-
Hatto von Hatzfeld
-
Olaf Kirch