From owner-freebsd-security Fri May 17 17:04:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA02938 for security-outgoing; Fri, 17 May 1996 17:04:43 -0700 (PDT) Received: from shell.aros.net (root@shell.aros.net [205.164.111.19]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id RAA02927; Fri, 17 May 1996 17:04:40 -0700 (PDT) Received: (from angio@localhost) by shell.aros.net (8.7.5/Unknown) id SAA01785; Fri, 17 May 1996 18:04:25 -0600 (MDT) From: Dave Andersen Message-Id: <199605180004.SAA01785@shell.aros.net> Subject: Re: very bad (fwd) To: jkh@time.cdrom.com Date: Fri, 17 May 1996 18:04:25 -0600 (MDT) Cc: freebsd-security@FreeBSD.org, security-officer@FreeBSD.org, angio@aros.net X-Mailer: ELM [version 2.4ME+ PL13 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Since it's already out, I'm CC:'ing this to the general list. chmod u-s /sbin/mount_union is *not* a complete fix. The mount_msdos command is similarly vulnerable: bash$ export PATH=/tmp:$PATH bash$ whoami angio bash$ mount_msdos /asdf /tmp # whoami root The only difference in this is that mount_msdos checks to see if the mount point exists before it tries to mount it. My suggestion: chmod ug-s /sbin/mount_* -Dave Andersen ----- Forwarded message from invalid opcode ----- Too bad it's already on BUGTRAQ and BoS which is way more than 1000 :-( And I would have sent it to security-officer@freebsd.org had I even known of such an address. The prepared fix is chmod u-s /sbin/mount_union. == Chris Layne ======================================== Nervosa Computing == == coredump@nervosa.com ================ http://www.nervosa.com/~coredump == ----- End of forwarded message from invalid opcode ----- -- angio@aros.net Complete virtual hosting and business-oriented system administration Internet services. (WWW, FTP, email) http://www.aros.net/ http://www.aros.net/about/virtual "There are only two industries that refer to thier customers as 'users'."