From owner-freebsd-current Fri Sep 15 4:55:55 2000 Delivered-To: freebsd-current@freebsd.org Received: from itesec.hsc.fr (itesec.hsc.fr [192.70.106.33]) by hub.freebsd.org (Postfix) with ESMTP id BA00B37B422 for ; Fri, 15 Sep 2000 04:55:52 -0700 (PDT) Received: from yoko.hsc.fr (yoko.hsc.fr [192.70.106.76]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "yoko.hsc.fr", Issuer CN "HSC CA" (verified OK)) by itesec.hsc.fr (Postfix) with ESMTP id B9F4A10ED1 for ; Fri, 15 Sep 2000 13:55:51 +0200 (CEST) Received: by yoko.hsc.fr (Postfix-TLS, from userid 1001) id D713F9B208; Fri, 15 Sep 2000 13:55:48 +0200 (CEST) Date: Fri, 15 Sep 2000 13:55:48 +0200 From: Alain Thivillon To: freebsd-current@freebsd.org Subject: DevFs status and security ? Message-ID: <20000915135548.A436@yoko.hsc.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i X-Organization: Herve Schauer Consultants X-Operating-System: FreeBSD 5.0-CURRENT Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG There is a huge security hole in -CURRENT devfs, i don't known if this is a temporary issue or a 'real' bug: $ id uid=2089(yann) gid=2089(yann) groups=2089(yann) $ uname -a FreeBSD yoko.hsc.fr 5.0-CURRENT FreeBSD 5.0-CURRENT #57: Fri Sep 15 13:36:26 CEST 2000 titi@yoko.hsc.fr:/usr/src/sys/compile/YOKO50 i386 $ df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/ad0s3a 6252604 5027631 724765 87% / devfs 1 1 0 100% /dev procfs 4 4 0 100% /proc $ ls -l /dev/null crw-rw-rw- 1 root wheel 2, 2 Sep 15 13:47 /dev/null $ chown yann /dev/null $ chown yann /dev/mem $ ls -l /dev/null crw-rw-rw- 1 yann wheel 2, 2 Sep 15 13:47 /dev/null $ chmod 600 /dev/null $ ls -l /dev/null crw------- 1 yann wheel 2, 2 Sep 15 13:47 /dev/null $ strings /dev/mem | head -10 Read Boot error (TKT ( CT (@;T ((0S (,/S (l-S (d/S Every user can change all owners and perms on devfs files. I have verified that /dev/null permissions are REALLY changed (other users can not use him) and that Mem can REALLY be read by anyone. Did i miss something ? Strange that nobody reported it (my problems appeeared when procmail changed perms of /dev/null :)) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message