From owner-freebsd-bugs Tue Jan 15 5:30:23 2002 Delivered-To: freebsd-bugs@freebsd.org Received: from logicalhost.com (logicalhost.com [63.169.206.2]) by hub.freebsd.org (Postfix) with ESMTP id 8BE4937B402 for ; Tue, 15 Jan 2002 05:30:08 -0800 (PST) Received: from obsolescent.logicalhost.com (adm3 [12.245.195.98]) by logicalhost.com (8.11.6/8.11.6) with ESMTP id g0FDZ7q47907 for ; Tue, 15 Jan 2002 08:35:07 -0500 (EST) Message-Id: <5.1.0.14.2.20020115081753.02a57728@logicalhost.com> X-Sender: rjl@logicalhost.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 15 Jan 2002 08:30:33 -0500 To: freebsd-bugs@FreeBSD.ORG From: "Russell J. Lahti" Subject: Re: misc/33910: user uploading files somehow overwrote /dev/null In-Reply-To: <200201151110.g0FBA1f26702@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:10 AM 1/15/2002 -0800, you wrote: >The following reply was made to PR misc/33910; it has been noted by GNATS. > >From: Ruslan Ermilov >To: Russell Lahti >Cc: bug-followup@FreeBSD.org >Subject: Re: misc/33910: user uploading files somehow overwrote /dev/null >Date: Tue, 15 Jan 2002 13:01:54 +0200 > > On Mon, Jan 14, 2002 at 09:00:01PM -0800, Russell Lahti wrote: > > > > /dev/null was now owned by his username, and basically broke the > > whole machine until I remade /dev/null. > > > > %ls -al /dev/null > > -rw-r--r-- 1 username usergroup 29 Jan 7 07:31 null > > > > Nobody else had access to his username, and the only way he had > > accessed the system was with an ftp client and the machine is running > stock ftpd. I checked all of my logs extensively and nothing seems to be > out of place. The ftp transfer log doesn't contain anything relating to > that PID, but the time frame does fit exactly for when > > the file was over-written: > > > > Jan 7 00:28:34 srv4 ftpd[91324]: delete /usr/home/username/www/user.html > > ** file was over-written here** > > Jan 7 00:28:48 srv4 ftpd[91609]: connection from internal (192.168.1.125) > > > An owner of the /dev directory (or any user that has write permission) > may delete /dev/null entry and create a regular file in place of it. > Please verify that the ownership and permissions are set correctly for > /dev. I did check all of this. drwxr-xr-x 4 root wheel 14336 Jan 7 07:35 dev crw-rw-rw- 1 root wheel 2, 2 Jan 15 08:23 /dev/null The /dev directory permissions have never changed. /dev/null had these *exact* permissions before it was over-written. I had tripwire monitoring /dev and its contents from the day of install. The permissions had never changed. > Alternatively, the unnamed server software could be running with > the effective UID of root. ftpd was the only way this user has ever accessed the system. the time fits exactly with the time that he was connected, and no other system activity was happening at the time from TCP connection logs. The machine is running the default install of ftpd that is distributed with freebsd. -Russell To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message