From owner-freebsd-bugs  Sat Jun 15  6:40:11 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id BA94037B40B
	for <freebsd-bugs@hub.freebsd.org>; Sat, 15 Jun 2002 06:40:01 -0700 (PDT)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g5FDe1888367;
	Sat, 15 Jun 2002 06:40:01 -0700 (PDT)
	(envelope-from gnats)
Received: from inferno.stuiver.net (t-indiv8-234.athome.tue.nl [131.155.242.234])
	by hub.freebsd.org (Postfix) with ESMTP id 1EC4737B40A
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 15 Jun 2002 06:30:46 -0700 (PDT)
Received: by inferno.stuiver.net (Postfix, from userid 1106)
	id BABED63; Sat, 15 Jun 2002 15:18:49 +0200 (CEST)
Message-Id: <20020615131849.BABED63@inferno.stuiver.net>
Date: Sat, 15 Jun 2002 15:18:49 +0200 (CEST)
From: Serge van den Boom <svdb@stack.nl>
Reply-To: Serge van den Boom <svdb@stack.nl>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: kern/39329: '..' at mountpoint is subject to the permissions of the shadowed dir
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         39329
>Category:       kern
>Synopsis:       '..' at mountpoint is subject to the permissions of the shadowed dir
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 15 06:40:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Serge van den Boom
>Release:        FreeBSD 4.5-RELEASE i386
>Organization:
Eindhoven University of Technology
>Environment:
System: FreeBSD inferno.stuiver.net 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Sun Mar 17 04:23:07 CET 2002 svdb@inferno.stuiver.net:/usr/src/sys/compile/INFERNO i386

>Description:
If you have a dir which is not readable by someone, and you mount a
filesystem at that location, the permissions the new filesystem gives to the
dir will be the ones used. Only when you try to access '..', which appears
to be generated by the kernel to point to the parent dir of the mount
location, the permissions of the original dir will be used to determine
if you're allowed to.

>How-To-Repeat:
# mkdir /mnt/tmp
# chown root:wheel /mnt/tmp
# chmod 700 /mnt/tmp
# mount somefs /mnt/tmp
# chmod 755 /mnt/tmp
# ls -lad /mnt/tmp/.*
drwxr-xr-x  4 root  wheel  512 Jun 15 15:20 /mnt/tmp/.
drwxr-xr-x  6 root  wheel  512 Jun 15 15:20 /mnt/tmp/..

$ ls -lad /mnt/tmp/.*
ls: /mnt/tmp/..: Permission denied
drwxr-xr-x  4 root  wheel  512 Jun 15 15:20 /mnt/tmp/.

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message