From owner-freebsd-bugs Thu Mar 6 22:10:08 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA17754 for bugs-outgoing; Thu, 6 Mar 1997 22:10:08 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA17738; Thu, 6 Mar 1997 22:10:05 -0800 (PST) Resent-Date: Thu, 6 Mar 1997 22:10:05 -0800 (PST) Resent-Message-Id: <199703070610.WAA17738@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, karl@Mcs.Net Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA17350 for ; Thu, 6 Mar 1997 22:05:48 -0800 (PST) Received: from Codebase.mcs.net (codebase.mcs.net [192.160.127.89]) by Kitten.mcs.com (8.8.5/8.8.2) with ESMTP id AAA23577 for ; Fri, 7 Mar 1997 00:05:47 -0600 (CST) Received: (from root@localhost) by Codebase.mcs.net (8.8.5/8.8.2) id AAA07600; Fri, 7 Mar 1997 00:05:45 -0600 (CST) Message-Id: <199703070605.AAA07600@Codebase.mcs.net> Date: Fri, 7 Mar 1997 00:05:45 -0600 (CST) From: Karl Reply-To: karl@Mcs.Net To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/2906: SEVERE security bug in vfs_vnops.c Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 2906 >Category: kern >Synopsis: SEVERE security bug in vfs_vnops.c >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Mar 6 22:10:03 PST 1997 >Last-Modified: >Originator: Karl >Organization: MCSNet >Release: FreeBSD 3.0-CURRENT i386 >Environment: generation numbers are visible to any user for files, making unauthorized modification of files on exported NFS filesystems easily possible. >Description: see posting to freebsd-security@freebsd.org >How-To-Repeat: see posting to freebsd-security@freebsd.org >Fix: *** vfs_vnops.c Fri Mar 7 00:03:33 1997 --- vfs_vnops.c.saved Fri Mar 7 00:03:08 1997 *************** *** 410,420 **** sb->st_mtimespec = vap->va_mtime; sb->st_ctimespec = vap->va_ctime; sb->st_blksize = vap->va_blocksize; ! if (suser (p->u_cred, &p->p_acflag)) { ! sb->st_gen = 0; ! } else { ! sb->st_gen = vap->va_gen; ! } sb->st_gen = vap->va_gen; #if (S_BLKSIZE == 512) /* Optimize this case */ --- 410,416 ---- sb->st_mtimespec = vap->va_mtime; sb->st_ctimespec = vap->va_ctime; sb->st_blksize = vap->va_blocksize; ! sb->st_flags = vap->va_flags; sb->st_gen = vap->va_gen; #if (S_BLKSIZE == 512) /* Optimize this case */ -- Karl Denninger MCSNet >Audit-Trail: >Unformatted: