Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 11 Jun 1997 16:14:06 +0900 (JST)
From:      Takeshi WATANABE <watanabe@crayon.planet.kobe-u.ac.jp>
To:        FreeBSD-gnats-submit@FreeBSD.ORG
Subject:   misc/3846: The sample /etc/amd.map has a security hole.
Message-ID:  <199706110714.QAA26419@crayon.planet.kobe-u.ac.jp>
Resent-Message-ID: <199706110730.AAA07689@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         3846
>Category:       misc
>Synopsis:       The sample /etc/amd.map has a security hole.
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 11 00:30:01 PDT 1997
>Last-Modified:
>Originator:     Takeshi WATANABE
>Organization:
Kobe University, Kobe, Japan
>Release:        FreeBSD 2.2.1-RELEASE i386
>Environment:

	All machines which use "amd" with the default /etc/amd.map

>Description:

  The default /etc/amd.map has a serious security hole.

=-=-=-=
/defaults   type:=host;fs:=${autodir}/${rhost};rhost:=${key}
*           opts:=rw,grpid
=-=-=-=

  If we use this map file,  non-privileged user can mount any remote file
systems that the remote machines export.  If the remote file system contains
dangerous SetUID excutable files or world-writable device files, the
non-pricileged user can excute or read it.  So, he/she can easily get root
authority.

  When the "amd" mount point of this map file is "/net",  the cracker can
become root, only he/she execute following.

	/net/crackers.host.machine/.../setuid-shell

(where crackers.host.machine exports /...)

>How-To-Repeat:

	Always.

>Fix:

  We should change /etc/amd.map!  Following lines are one sample.

=-=-=-=
/defaults          type:=host;fs:=${autodir}/${rhost};rhost:=${key}
#my.friend.machine opts:=rw,grpid
*                  opts:=rw,grpid,nosuid,nodev
=-=-=-=

We should use "nosuid" and "nodev" for "*".

       =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
              Takeshi WATANABE (watanabe@komadori.planet.kobe-u.ac.jp)
                            Graduate School of Science and Technology,
                               Kobe University   Nada, Kobe 657, Japan
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199706110714.QAA26419>