From owner-freebsd-bugs Wed Jun 11 00:30:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id AAA07696 for bugs-outgoing; Wed, 11 Jun 1997 00:30:04 -0700 (PDT) Received: (from gnats@localhost) by hub.freebsd.org (8.8.5/8.8.5) id AAA07689; Wed, 11 Jun 1997 00:30:02 -0700 (PDT) Resent-Date: Wed, 11 Jun 1997 00:30:02 -0700 (PDT) Resent-Message-Id: <199706110730.AAA07689@hub.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, watanabe@komadori.planet.kobe-u.ac.jp Received: from crayon.planet.kobe-u.ac.jp (crayon.planet.kobe-u.ac.jp [133.30.50.177]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA07322 for ; Wed, 11 Jun 1997 00:20:05 -0700 (PDT) Received: (from watanabe@localhost) by crayon.planet.kobe-u.ac.jp (8.8.5/3.5Wpl7-sub) id QAA26419; Wed, 11 Jun 1997 16:14:06 +0900 (JST) Message-Id: <199706110714.QAA26419@crayon.planet.kobe-u.ac.jp> Date: Wed, 11 Jun 1997 16:14:06 +0900 (JST) From: Takeshi WATANABE Reply-To: watanabe@komadori.planet.kobe-u.ac.jp To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: misc/3846: The sample /etc/amd.map has a security hole. Sender: owner-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >Number: 3846 >Category: misc >Synopsis: The sample /etc/amd.map has a security hole. >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Jun 11 00:30:01 PDT 1997 >Last-Modified: >Originator: Takeshi WATANABE >Organization: Kobe University, Kobe, Japan >Release: FreeBSD 2.2.1-RELEASE i386 >Environment: All machines which use "amd" with the default /etc/amd.map >Description: The default /etc/amd.map has a serious security hole. =-=-=-= /defaults type:=host;fs:=${autodir}/${rhost};rhost:=${key} * opts:=rw,grpid =-=-=-= If we use this map file, non-privileged user can mount any remote file systems that the remote machines export. If the remote file system contains dangerous SetUID excutable files or world-writable device files, the non-pricileged user can excute or read it. So, he/she can easily get root authority. When the "amd" mount point of this map file is "/net", the cracker can become root, only he/she execute following. /net/crackers.host.machine/.../setuid-shell (where crackers.host.machine exports /...) >How-To-Repeat: Always. >Fix: We should change /etc/amd.map! Following lines are one sample. =-=-=-= /defaults type:=host;fs:=${autodir}/${rhost};rhost:=${key} #my.friend.machine opts:=rw,grpid * opts:=rw,grpid,nosuid,nodev =-=-=-= We should use "nosuid" and "nodev" for "*". =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Takeshi WATANABE (watanabe@komadori.planet.kobe-u.ac.jp) Graduate School of Science and Technology, Kobe University Nada, Kobe 657, Japan >Audit-Trail: >Unformatted: