Date: Sat, 24 Aug 1996 21:21:00 +1000 From: Bruce Evans <bde@zeta.org.au> To: guido@gvr.win.tue.nl, julian@whistle.com Cc: security@freebsd.org Subject: Re: [Fwd: mount bug..] Message-ID: <199608241121.VAA25541@godzilla.zeta.org.au>
index | next in thread | raw e-mail
>Julian Elischer wrote: >> This doesn't work, but I'm wondering why it says it's for freeBSD.. >> did it work on an earlier version? (even with bin replaced by sbin) >> >> umount is not suid anyhow, but..... >> does anyone know about this? >Since they use umount to do the exploit I cannot imagine how they would >ever get a root shell....umount is not suid. Neither is mount. IIRC, among our mount routines, only mount_msdos and mount_union have ever been setuid. Only mount_msdos is setuid now. msdosfs alone allows mounting if the real uid is 0 or the real uid matches the proposed mount point's uid. msdosfs_mount has to be setuid root to defeat the suser check() in mount(). Blech. Controlling things using the permissions mount point may be good, but it shouldn't be special. Brucehome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608241121.VAA25541>