From owner-freebsd-current  Tue Oct 21 17:43:34 1997
Return-Path: <owner-freebsd-current>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id RAA22309
          for current-outgoing; Tue, 21 Oct 1997 17:43:34 -0700 (PDT)
          (envelope-from owner-freebsd-current)
Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA22289;
          Tue, 21 Oct 1997 17:43:28 -0700 (PDT)
          (envelope-from bde@zeta.org.au)
Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.7/8.6.9) id KAA17789; Wed, 22 Oct 1997 10:37:46 +1000
Date: Wed, 22 Oct 1997 10:37:46 +1000
From: Bruce Evans <bde@zeta.org.au>
Message-Id: <199710220037.KAA17789@godzilla.zeta.org.au>
To: dwmalone@maths.tcd.ie, gnat@frii.com
Subject: Re: -STABLE reboots
Cc: current@freebsd.org, freebsd-stable@freebsd.org
Sender: owner-freebsd-current@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

>> Last time I checked any user could generate a panic
>> similar to this by typing:
>> 	mkdir /tmp/t
>> 	mount_msdos /tmp/t /tmp/t
>> Is anyone likely to have done this?

This is an old problem.  `mount -t any /foo /foo' always panics.  Fix:
don't do that.  However, since mount_msdos is setuid root, anyone can
do that using any = msdos.  Fix in 2.2: mount_msdos should not be
setuid root.

The problem is more serious in -current, since mount(2) is unprivileged,
so even `mount /foo /foo' panics (if the mounter is root or owns /foo).

Bruce