From owner-freebsd-security Sat Aug 24 04:23:30 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA28460 for security-outgoing; Sat, 24 Aug 1996 04:23:30 -0700 (PDT) Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id EAA28454 for ; Sat, 24 Aug 1996 04:23:20 -0700 (PDT) Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.12/8.6.9) id VAA25541; Sat, 24 Aug 1996 21:21:00 +1000 Date: Sat, 24 Aug 1996 21:21:00 +1000 From: Bruce Evans Message-Id: <199608241121.VAA25541@godzilla.zeta.org.au> To: guido@gvr.win.tue.nl, julian@whistle.com Subject: Re: [Fwd: mount bug..] Cc: security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Julian Elischer wrote: >> This doesn't work, but I'm wondering why it says it's for freeBSD.. >> did it work on an earlier version? (even with bin replaced by sbin) >> >> umount is not suid anyhow, but..... >> does anyone know about this? >Since they use umount to do the exploit I cannot imagine how they would >ever get a root shell....umount is not suid. Neither is mount. IIRC, among our mount routines, only mount_msdos and mount_union have ever been setuid. Only mount_msdos is setuid now. msdosfs alone allows mounting if the real uid is 0 or the real uid matches the proposed mount point's uid. msdosfs_mount has to be setuid root to defeat the suser check() in mount(). Blech. Controlling things using the permissions mount point may be good, but it shouldn't be special. Bruce