<br><tt><font size=2>chris@ccburton.com wrote on 28/07/2010 09:22:21:<br>
</font></tt>
<br><tt><font size=2>[SNIP]</font></tt>
<br><tt><font size=2><br>
> and mount over something unfortunate. <br>
> <br>
> A better bodge would be a version of mount.cifs just for NX which
<br>
> doesn't prompt for password and so is safer for suid. <br>
> <br>
> This would reduce the time window for interupting it to milliseconds.
<br>
> <br>
> Still not good, but it would defeat the script kiddies. <br>
> <br>
</font></tt>
<br><tt><font size=2>OK I had a try . . . "c" if it helps
anyone . . . </font></tt>
<br>
<br><tt><font size=2>samba-3.4.2-1.1.3.1</font></tt>
<br>
<br><tt><font size=2>--- mount.cifs.c 2010-07-28
10:58:55.000000000 +0100</font></tt>
<br><tt><font size=2>+++ mount.cifs-one-shot.c 2010-07-28
10:58:38.000000000 +0100</font></tt>
<br><tt><font size=2>@@ -1342,6 +1342,7 @@</font></tt>
<br><tt><font size=2> }</font></tt>
<br>
<br><tt><font size=2> if(got_password == 0)
{</font></tt>
<br><tt><font size=2>+
exit(EX_USAGE);</font></tt>
<br><tt><font size=2>
char *tmp_pass = getpass("Password: "); /* BB obsolete sys call
but</font></tt>
<br><tt><font size=2>
no
good replacement yet. */</font></tt>
<br><tt><font size=2>
mountpassword = (char *)calloc(MOUNT_PASSWD_SIZE+1,1);</font></tt>
<br>
<br>
<br><tt><font size=2>The above bodge stops mount.cifs from halting to ask
for a password,</font></tt>
<br><tt><font size=2>whilst the bad guys change the mount point.</font></tt>
<br>
<br>
<br><tt><font size=2>Compiled ok</font></tt>
<br>
<br><tt><font size=2>so I created /usr/sbin/nx-mounts/ and copied
new binary into it.</font></tt>
<br><tt><font size=2>(plus also original umount.cifs)</font></tt>
<br>
<br><tt><font size=2>Set binaries owned by root and suid.</font></tt>
<br>
<br><tt><font size=2>-rwsr-sr-x 1 root root 39857 2010-07-28 11:23 /usr/sbin/nx-mounts/mount.cifs</font></tt>
<br><tt><font size=2>-rwsr-sr-x 1 root root 14240 2010-07-28 11:23 /usr/sbin/nx-mounts/umount.cifs</font></tt>
<br>
<br><tt><font size=2>Created group nx-mounts, changed directory ownership
and set some</font></tt>
<br><tt><font size=2>tight permissions</font></tt>
<br>
<br><tt><font size=2>d---r-x--- 2 root nx-mounts 4096 2010-07-28 11:23
/usr/sbin/nx-mounts/</font></tt>
<br>
<br><tt><font size=2>Added test user to group</font></tt>
<br>
<br><tt><font size=2>As before, it mounts for an ordinary user if that
user has write rights to</font></tt>
<br><tt><font size=2>the mount point, but won't mount if they don't (just
as before of course)</font></tt>
<br>
<br>
<br><tt><font size=2>If you supply a full set of parameters, it mounts
(in a fraction of a second)</font></tt>
<br><tt><font size=2>which will challenge any script-kiddie who has read
the exploit and fancies</font></tt>
<br><tt><font size=2>setting it off then changing the mount point</font></tt>
<br>
<br><tt><font size=2>If you don't supply a password, it just exits.</font></tt>
<br>
<br><tt><font size=2>'course its not a fix, (and don't tell the samba people),
but it is probably</font></tt>
<br><tt><font size=2>safer than sudo allowing mounting anywhere.</font></tt>
<br><tt><font size=2>and</font></tt>
<br><tt><font size=2>with sudo you have to allow your users to umount anything
too.</font></tt>
<br>
<br><tt><font size=2>with suid they can only umount things they own</font></tt>
<br>
<br><tt><font size=2>So use it or ignore it as you please . . . </font></tt>
<br>
<br><tt><font size=2>It will get you off the hook with the boss anyway,
if he's heard about</font></tt>
<br><tt><font size=2>this issue, or if you've just switched off his mapped
share . . . </font></tt>
<br>
<br><tt><font size=2>cb</font></tt>
<br>
<br>
<br>
<br>