Date: Thu, 20 Jun 2002 09:41:05 -0700 (PDT) From: aeonflux <aeonflux@trioptimum.com> To: freebsd-gnats-submit@FreeBSD.org Subject: conf/39580: insecure default settings Message-ID: <200206201641.g5KGf5of051981@www.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 39580 >Category: conf >Synopsis: insecure default settings >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Jun 20 09:50:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: aeonflux >Release: 4.6 release >Organization: none >Environment: 4.6 release >Description: By default in the install, when you have label create the drive partitions for you, a /tmp label is created however it is not mounted with the options "nofollowsymlinks" which would help stop race conditions. As well, /tmp is not mounted with nosuid, allowing suid bit binaries to execute from the tmp directory. Further reading from Kris Kennaway http://old.lwn.net/2000/1221/a/sec-tmp.php3 >How-To-Repeat: exploit any race condition, like the adobe pdf writer one for example. symlink a preditable file in /tmp to /etc/master.passwd, etc... you all know the drill. >Fix: edit /etc/fstab after installation and change the options to "rw,nosymfollow,nosuid" alter sysinstall to make those options default. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206201641.g5KGf5of051981>