From owner-freebsd-security@FreeBSD.ORG  Mon Dec  6 15:17:57 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 52B9816A4CE
	for <freebsd-security@freebsd.org>;
	Mon,  6 Dec 2004 15:17:57 +0000 (GMT)
Received: from ei.bzerk.org (ei.xs4all.nl [213.84.67.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3044B43D1D
	for <freebsd-security@freebsd.org>;
	Mon,  6 Dec 2004 15:17:56 +0000 (GMT)
	(envelope-from mail25@bzerk.org)
Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1])
	by ei.bzerk.org (8.13.1/8.13.1) with ESMTP id iB6FKAEL005004
	for <freebsd-security@freebsd.org>;
	Mon, 6 Dec 2004 16:20:10 +0100 (CET)	(envelope-from mail25@bzerk.org)
Received: (from bulk@localhost)
	by ei.bzerk.org (8.13.1/8.13.1/Submit) id iB6FKAkV005003
	for freebsd-security@freebsd.org; Mon, 6 Dec 2004 16:20:10 +0100 (CET)
	(envelope-from mail25@bzerk.org)
Date: Mon, 6 Dec 2004 16:20:10 +0100
From: Ruben de Groot <mail25@bzerk.org>
To: freebsd-security@freebsd.org
Message-ID: <20041206152010.GA4747@ei.bzerk.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
X-Spam-Status: No, score=-1.7 required=5.0 tests=ALL_TRUSTED,
	FROM_ENDS_IN_NUMS,J_CHICKENPOX_43 autolearn=failed version=3.0.0
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on ei.bzerk.org
X-Mailman-Approved-At: Tue, 07 Dec 2004 13:40:15 +0000
Subject: Unprivileged user can write to mbr
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Dec 2004 15:17:57 -0000


Hi, 

I'm having trouble rationalizing the behaviour described below. Is this
a security-issue (bug) or a feature?

- An unprivileged user 'bztest' with read-only access to /dev/ar0:

%id
uid=1004(bztest) gid=1004(test) groups=1004(test), 5(operator)
%ls -l /dev/ar0
crw-r-----  1 root  operator    4,  21 Nov 23 17:34 /dev/ar0

- Now, the device ar0 has the standard mbr installed:

%cmp /dev/ar0 /boot/mbr
/dev/ar0 /boot/mbr differ: char 447, line 1

- The boot0cfg program does not have any setuid bits:

%ls -l /usr/sbin/boot0cfg
-r-xr-xr-x  1 root  wheel  7940 Oct 26 22:47 /usr/sbin/boot0cfg

- The test user now uses boot0cfg to install the boot0 bootblock:

%boot0cfg -B -b /boot/boot0 /dev/ar0
%cmp /dev/ar0 /boot/mbr
/dev/ar0 /boot/mbr differ: char 13, line 1
%cmp /dev/ar0 /boot/boot0
/dev/ar0 /boot/boot0 differ: char 447, line 5

Can somebody explain this?

thanks,
Ruben de Groot