From owner-freebsd-security Tue Apr 25 22:10:28 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id WAA06896 for security-outgoing; Tue, 25 Apr 1995 22:10:28 -0700 Received: from bunyip.cc.uq.oz.au (bunyip.cc.uq.oz.au [130.102.2.1]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id WAA06888 for ; Tue, 25 Apr 1995 22:10:20 -0700 Received: from s1.elec.uq.oz.au by bunyip.cc.uq.oz.au with SMTP (PP); Wed, 26 Apr 1995 15:09:58 +1000 Received: from s4 (s4.elec.uq.oz.au) by s1.elec.uq.oz.au (4.0/SMI-4.0) id AA15058; Wed, 26 Apr 95 15:09:34 EST From: clary@elec.uq.oz.au (Clary Harridge) Message-Id: <9504260509.AA15058@s1.elec.uq.oz.au> Subject: DISKLESS users become root To: freebsd-security@FreeBSD.org Date: Wed, 26 Apr 1995 15:08:47 +1000 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 760 Sender: security-owner@FreeBSD.org Precedence: bulk Users on any DISKLESS client can become root during the boot sequence. I have diskless clients booting off a FreeBSD file server and find that Pressing CTRLC just after the last NFS mount and before the "autoreboot" message causes init: /bin/sh on /etc/rc terminated abnormally, going to single user mode Enter pathname of shell or RETURN for sh: then RETURN gives a root shell. The state of the /etc/ttys file is not being checked for whether the console is secure (or not) and the user is NOT prompted for a root password. Has anyone a cure for this problem? -- regards Dept. of Electrical Engineering, Clary Harridge University of Queensland, QLD, Australia, 4072 Phone: +61-7-365-3636 Fax: +61-7-365-4999 INTERNET: clary@elec.uq.oz.au