Date: Sat, 18 May 1996 21:51:10 +0200 From: Andre Grosse Bley <gandalf@infinity.ping.de> To: Dan Polivy <danp@library.pride.net> Cc: freebsd-hackers@freebsd.org Subject: Re: SECURITY BUG in FreeBSD (fwd) Message-ID: <199605181951.VAA00672@infinity.ping.de> In-Reply-To: Your message of "Fri, 17 May 1996 19:06:03 EDT." <Pine.BSF.3.91.960517190355.230C-100000@library.pride.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> export PATH=/tmp:$PATH #if zsh, of course
> echo /bin/sh >/tmp/modload
> chmod +x /tmp/modload
> mount_union /dir1 /dir2
> and You are root!
I think this one is easy to fix:
edit /usr/src/lib/libc/gen/getvfsent.c
In vfsload() you'll see following code:
status = execlp("modload", "modload", "-e", name_mod, "-o",
name_mod,
"-u", "-q", path, (const char *)0);
I replaced it by:
status = execlp("/sbin/modload", "/sbin/modload", "-e", name_mod,
"-o",
name_mod,
"-u", "-q", path, (const char *)0);
rebuilt libc (and INSTALLED!) after that. And don't forget to rebuild
/sbin/mount_union (and mount_msdos, both are setuid)
This fixes the bug for me, i hope i didn't made any mistakes. Anyone
could tell me if that's ok?
BTW: Easier is to remove setuid bit from mount_union (and msdos, both
are setuid!)
--
Regards, Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605181951.VAA00672>