[techtalk] request for ideas

Wendt,Andrew awendt at neo.rr.com
Mon Oct 11 18:19:53 EST 1999


On Mon, 11 Oct 1999, you wrote:
>No, the disk would not automatically execute, but if you allow Linux to
>boot up off of floppy, and someone else sticks their floppy in that
>drive then hard-reboots the computer, you have an issue.

This will happen regardless of whether you automount the floppy under Linux
won't it?

>Also, who the hell knows what is on that floppy disk that could
>contaminate or crack your system? If you allow it to automount, you are
>taking a risk that there is a program on that disk designed to exploit
>security holes which the user can now execute as the floppy has been
>mounted.

I don't see how that's a big deal. If you have any sort of network
connectivity, they could just download that same file from a webpage, or have
it emailed to them. If they're really desperate they could type in the program
and compile it... I think the real problem is the "security holes" in your
system, not the users being able to transfer files to the system...

>Ideally, for the paranoid of us, one would set their bios to boot off
>the harddrive only, password-protect bios, and continue to leave
>mount/umount of the floppy device solely under the control of root.

I'll definitely agree about the BIOS, but I still don't see why users mounting
removable-media filesystems is so bad. The only problem I can see is someone
forgetting to remove their floppy from the drive when they're done with it, so
another user mounts the floppy and reads their personal files. But if a user
has physical access to the machine where they can stick in a new floppy and
hard reboot like you mention above, they can pop in any disks that aren't
locked up...

TTFN

************
techtalk at linuxchix.org   http://www.linuxchix.org




More information about the Techtalk mailing list