From owner-freebsd-security@FreeBSD.ORG Mon Dec 6 15:20:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 586FD16A4D1 for ; Mon, 6 Dec 2004 15:20:44 +0000 (GMT) Received: from ei.bzerk.org (ei.xs4all.nl [213.84.67.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB61B43D5E for ; Mon, 6 Dec 2004 15:20:43 +0000 (GMT) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1]) by ei.bzerk.org (8.13.1/8.13.1) with ESMTP id iB6FMxBS005065 for ; Mon, 6 Dec 2004 16:22:59 +0100 (CET) (envelope-from mail25@bzerk.org) Received: (from bulk@localhost) by ei.bzerk.org (8.13.1/8.13.1/Submit) id iB6FMx9u005064 for freebsd-security@freebsd.org; Mon, 6 Dec 2004 16:22:59 +0100 (CET) (envelope-from mail25@bzerk.org) Date: Mon, 6 Dec 2004 16:22:59 +0100 From: Ruben de Groot To: freebsd-security@freebsd.org Message-ID: <20041206152259.GB4747@ei.bzerk.org> References: <20041206152010.GA4747@ei.bzerk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041206152010.GA4747@ei.bzerk.org> User-Agent: Mutt/1.4.2.1i X-Spam-Status: No, score=-1.7 required=5.0 tests=ALL_TRUSTED, FROM_ENDS_IN_NUMS,J_CHICKENPOX_43 autolearn=failed version=3.0.0 X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on ei.bzerk.org X-Mailman-Approved-At: Tue, 07 Dec 2004 13:40:15 +0000 Subject: Re: Unprivileged user can write to mbr X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 15:20:44 -0000 I forgot to mention: %uname -a FreeBSD ei.bzerk.org 5.3-STABLE FreeBSD 5.3-STABLE #56: Tue Oct 26 06:49:27 CEST 2004 root@ei.bzerk.org:/usr/build/usr/obj/usr/build/releng_5/usr/src/sys/SMP-EI i386 On Mon, Dec 06, 2004 at 04:20:10PM +0100, Ruben de Groot typed: > > Hi, > > I'm having trouble rationalizing the behaviour described below. Is this > a security-issue (bug) or a feature? > > - An unprivileged user 'bztest' with read-only access to /dev/ar0: > > %id > uid=1004(bztest) gid=1004(test) groups=1004(test), 5(operator) > %ls -l /dev/ar0 > crw-r----- 1 root operator 4, 21 Nov 23 17:34 /dev/ar0 > > - Now, the device ar0 has the standard mbr installed: > > %cmp /dev/ar0 /boot/mbr > /dev/ar0 /boot/mbr differ: char 447, line 1 > > - The boot0cfg program does not have any setuid bits: > > %ls -l /usr/sbin/boot0cfg > -r-xr-xr-x 1 root wheel 7940 Oct 26 22:47 /usr/sbin/boot0cfg > > - The test user now uses boot0cfg to install the boot0 bootblock: > > %boot0cfg -B -b /boot/boot0 /dev/ar0 > %cmp /dev/ar0 /boot/mbr > /dev/ar0 /boot/mbr differ: char 13, line 1 > %cmp /dev/ar0 /boot/boot0 > /dev/ar0 /boot/boot0 differ: char 447, line 5 > > Can somebody explain this? > > thanks, > Ruben de Groot >