From owner-freebsd-questions@FreeBSD.ORG  Mon Dec  6 16:05:29 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BD98D16A4CE
	for <freebsd-questions@freebsd.org>;
	Mon,  6 Dec 2004 16:05:29 +0000 (GMT)
Received: from ei.bzerk.org (ei.xs4all.nl [213.84.67.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1BCEF43D4C
	for <freebsd-questions@freebsd.org>;
	Mon,  6 Dec 2004 16:05:29 +0000 (GMT)
	(envelope-from mail25@bzerk.org)
Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1])
	by ei.bzerk.org (8.13.1/8.13.1) with ESMTP id iB6G7i52005630
	for <freebsd-questions@freebsd.org>;
	Mon, 6 Dec 2004 17:07:44 +0100 (CET)
	(envelope-from bulk@ei.bzerk.org)
Received: (from bulk@localhost)
	by ei.bzerk.org (8.13.1/8.13.1/Submit) id iB6G7ihD005629
	for freebsd-questions@freebsd.org;
	Mon, 6 Dec 2004 17:07:44 +0100 (CET)
	(envelope-from bulk@ei.bzerk.org)
Resent-From: Ruben de Groot <mail25@bzerk.org>
Resent-Message-Id: <200412061607.iB6G7ihD005629@ei.bzerk.org>
Date: Mon, 6 Dec 2004 16:20:10 +0100
From: Ruben de Groot <mail25@bzerk.org>
To: freebsd-questions@freebsd.org
Message-ID: <20041206152010.GA4747@ei.bzerk.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
Resent-Date: Mon, 6 Dec 2004 17:07:44 +0100
Resent-To: freebsd-questions@freebsd.org
X-Spam-Status: No, score=-1.7 required=5.0 tests=ALL_TRUSTED,
	FROM_ENDS_IN_NUMS,J_CHICKENPOX_43 autolearn=failed version=3.0.0
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on ei.bzerk.org
Subject: Unprivileged user can write to mbr
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Dec 2004 16:05:29 -0000


Hi, 

I'm having trouble rationalizing the behaviour described below. Is this
a security-issue (bug) or a feature?
(this is 5-STABLE, oct 26, 2004)

- An unprivileged user 'bztest' with read-only access to /dev/ar0:

%id
uid=1004(bztest) gid=1004(test) groups=1004(test), 5(operator)
%ls -l /dev/ar0
crw-r-----  1 root  operator    4,  21 Nov 23 17:34 /dev/ar0

- Now, the device ar0 has the standard mbr installed:

%cmp /dev/ar0 /boot/mbr
/dev/ar0 /boot/mbr differ: char 447, line 1

- The boot0cfg program does not have any setuid bits:

%ls -l /usr/sbin/boot0cfg
-r-xr-xr-x  1 root  wheel  7940 Oct 26 22:47 /usr/sbin/boot0cfg

- The test user now uses boot0cfg to install the boot0 bootblock:

%boot0cfg -B -b /boot/boot0 /dev/ar0
%cmp /dev/ar0 /boot/mbr
/dev/ar0 /boot/mbr differ: char 13, line 1
%cmp /dev/ar0 /boot/boot0
/dev/ar0 /boot/boot0 differ: char 447, line 5

Can somebody explain this?


thanks,
Ruben de Groot