From owner-freebsd-bugs Mon Jan 14 21: 0:12 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id EF81037B41E for ; Mon, 14 Jan 2002 21:00:02 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g0F502P53164; Mon, 14 Jan 2002 21:00:02 -0800 (PST) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0373537B417 for ; Mon, 14 Jan 2002 21:00:02 -0800 (PST) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g0F501j53134; Mon, 14 Jan 2002 21:00:01 -0800 (PST) (envelope-from nobody) Message-Id: <200201150500.g0F501j53134@freefall.freebsd.org> Date: Mon, 14 Jan 2002 21:00:01 -0800 (PST) From: Russell Lahti To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: misc/33910: user uploading files somehow overwrote /dev/null Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 33910 >Category: misc >Synopsis: user uploading files somehow overwrote /dev/null >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jan 14 21:00:02 PST 2002 >Closed-Date: >Last-Modified: >Originator: Russell Lahti >Release: 4.4 >Organization: Logical Web Hosting >Environment: FreeBSD srv4.logicalhost.com 4.4-RELEASE FreeBSD 4.4-RELEASE #12: Sun Sep 16 10:08:01 EDT 2001 root@srv4.logicalhost.com:/usr/src/sys/compile/LWH i386 >Description: One of the users on one of our servers was uploading pictures to their website. Somehow in the process he was able to over-write /dev/null to contain: "kill: 91410: No such process" /dev/null was now owned by his username, and basically broke the whole machine until I remade /dev/null. %ls -al /dev/null -rw-r--r-- 1 username usergroup 29 Jan 7 07:31 null Nobody else had access to his username, and the only way he had accessed the system was with an ftp client and the machine is running stock ftpd. I checked all of my logs extensively and nothing seems to be out of place. The ftp transfer log doesn't contain anything relating to that PID, but the time frame does fit exactly for when the file was over-written: Jan 7 00:28:34 srv4 ftpd[91324]: delete /usr/home/username/www/user.html ** file was over-written here** Jan 7 00:28:48 srv4 ftpd[91609]: connection from internal (192.168.1.125) >How-To-Repeat: I have been unable to repeat this situation on my own. I apologize ahead of time for this, I figured this would be a good place to start because of the possible problems it may cause if it is found to be a true bug. >Fix: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message