Date: Thu, 20 Jun 2002 07:00:36 -0700 (PDT) From: Vasil Dimov <vd@etrade.bg> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/39573: uid 0 check in install.sh in 4.6-disc1.iso can be circumvented Message-ID: <200206201400.g5KE0aUC034406@www.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 39573 >Category: bin >Synopsis: uid 0 check in install.sh in 4.6-disc1.iso can be circumvented >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jun 20 07:10:03 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Vasil Dimov >Release: 4.6-STABLE >Organization: eTrade.bg >Environment: FreeBSD vihren.etrade.xx 4.6-STABLE FreeBSD 4.6-STABLE #0: Mon Jun 17 15:38:29 EEST 2002 root@vihren.etrade.xx:/usr/src/sys/compile/VIHREN i386 >Description: all the scripts named install.sh in the 4.6-disc1.iso MD5 (4.6-disc1.iso) = 99666e6f33820af3b060734203202e35 use the same check to ensure the caller is uid 0: if [ "`id -u`" != "0" ]; then echo "Sorry, this must be done as root." exit 1 fi which can be easily passed by nonuid0 users, probably causing "Permission denied" in the following commands. if this check is needed at all it should be fixatored to something more unpassable. >How-To-Repeat: assuming we are in the cdrom root dir $ ./bin/install.sh Sorry, this must be done as root. $ $ echo "echo 0" > ~/bin/id $ chmod 700 ~/bin/id $ export PATH=~/bin:$PATH $ ./bin/install.sh You are about to extract the base distribution into / - are you SURE you want to do this over your installed system (y/n)? n $ >Fix: `id -u` should be changed to: `/usr/bin/id -u` this is not so obviously to pass, yeah >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206201400.g5KE0aUC034406>