From owner-freebsd-security  Sat Aug 24 15:44:40 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id PAA06089
          for security-outgoing; Sat, 24 Aug 1996 15:44:40 -0700 (PDT)
Received: from whistle.com (s205m131.whistle.com [207.76.205.131])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA06080
          for <security@freebsd.org>; Sat, 24 Aug 1996 15:44:38 -0700 (PDT)
Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id PAA11910; Sat, 24 Aug 1996 15:43:59 -0700 (PDT)
Received: from current1.whistle.com(207.76.205.22) by whistle.com via smap (V1.3)
	id sma011906; Sat Aug 24 15:43:33 1996
Message-ID: <321F855A.7A5F06AF@whistle.com>
Date: Sat, 24 Aug 1996 15:42:34 -0700
From: Julian Elischer <julian@whistle.com>
Organization: Whistle Communications
X-Mailer: Mozilla 3.0b6 (X11; I; FreeBSD 2.2-CURRENT i386)
MIME-Version: 1.0
To: Guido van Rooij <guido@gvr.win.tue.nl>
CC: security@freebsd.org
Subject: Re: [Fwd: mount bug..]
References: <199608241013.MAA04792@gvr.win.tue.nl>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Guido van Rooij wrote:
> 
> Julian Elischer wrote:
> > This doesn't work, but I'm wondering why it says it's for freeBSD..
> > did it work on an earlier version? (even with bin replaced by sbin)
> >
> > umount is not suid anyhow, but.....
> > does anyone know about this?
> 
> Since they use umount to do the exploit I cannot imagine how they would
> ever get a root shell....umount is not suid.
> 
> -Guido
I saw that and agree, I'm just puzzled by it....