Date: Sat, 18 May 1996 21:51:10 +0200 From: Andre Grosse Bley <gandalf@infinity.ping.de> To: Dan Polivy <danp@library.pride.net> Cc: freebsd-hackers@freebsd.org Subject: Re: SECURITY BUG in FreeBSD (fwd) Message-ID: <199605181951.VAA00672@infinity.ping.de> In-Reply-To: Your message of "Fri, 17 May 1996 19:06:03 EDT." <Pine.BSF.3.91.960517190355.230C-100000@library.pride.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> export PATH=/tmp:$PATH #if zsh, of course > echo /bin/sh >/tmp/modload > chmod +x /tmp/modload > mount_union /dir1 /dir2 > and You are root! I think this one is easy to fix: edit /usr/src/lib/libc/gen/getvfsent.c In vfsload() you'll see following code: status = execlp("modload", "modload", "-e", name_mod, "-o", name_mod, "-u", "-q", path, (const char *)0); I replaced it by: status = execlp("/sbin/modload", "/sbin/modload", "-e", name_mod, "-o", name_mod, "-u", "-q", path, (const char *)0); rebuilt libc (and INSTALLED!) after that. And don't forget to rebuild /sbin/mount_union (and mount_msdos, both are setuid) This fixes the bug for me, i hope i didn't made any mistakes. Anyone could tell me if that's ok? BTW: Easier is to remove setuid bit from mount_union (and msdos, both are setuid!) -- Regards, Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605181951.VAA00672>