Date: Sat, 24 Aug 1996 21:21:00 +1000 From: Bruce Evans <bde@zeta.org.au> To: guido@gvr.win.tue.nl, julian@whistle.com Cc: security@freebsd.org Subject: Re: [Fwd: mount bug..] Message-ID: <199608241121.VAA25541@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help
>Julian Elischer wrote: >> This doesn't work, but I'm wondering why it says it's for freeBSD.. >> did it work on an earlier version? (even with bin replaced by sbin) >> >> umount is not suid anyhow, but..... >> does anyone know about this? >Since they use umount to do the exploit I cannot imagine how they would >ever get a root shell....umount is not suid. Neither is mount. IIRC, among our mount routines, only mount_msdos and mount_union have ever been setuid. Only mount_msdos is setuid now. msdosfs alone allows mounting if the real uid is 0 or the real uid matches the proposed mount point's uid. msdosfs_mount has to be setuid root to defeat the suser check() in mount(). Blech. Controlling things using the permissions mount point may be good, but it shouldn't be special. Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608241121.VAA25541>