From owner-freebsd-current Tue Oct 21 17:43:34 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA22309 for current-outgoing; Tue, 21 Oct 1997 17:43:34 -0700 (PDT) (envelope-from owner-freebsd-current) Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA22289; Tue, 21 Oct 1997 17:43:28 -0700 (PDT) (envelope-from bde@zeta.org.au) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.7/8.6.9) id KAA17789; Wed, 22 Oct 1997 10:37:46 +1000 Date: Wed, 22 Oct 1997 10:37:46 +1000 From: Bruce Evans Message-Id: <199710220037.KAA17789@godzilla.zeta.org.au> To: dwmalone@maths.tcd.ie, gnat@frii.com Subject: Re: -STABLE reboots Cc: current@freebsd.org, freebsd-stable@freebsd.org Sender: owner-freebsd-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >> Last time I checked any user could generate a panic >> similar to this by typing: >> mkdir /tmp/t >> mount_msdos /tmp/t /tmp/t >> Is anyone likely to have done this? This is an old problem. `mount -t any /foo /foo' always panics. Fix: don't do that. However, since mount_msdos is setuid root, anyone can do that using any = msdos. Fix in 2.2: mount_msdos should not be setuid root. The problem is more serious in -current, since mount(2) is unprivileged, so even `mount /foo /foo' panics (if the mounter is root or owns /foo). Bruce