From owner-freebsd-hackers Sat May 18 13:14:07 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id NAA17714 for hackers-outgoing; Sat, 18 May 1996 13:14:07 -0700 (PDT) Received: from lilly.ping.de (root@lilly.ping.de [193.100.14.2]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id NAA17708 for ; Sat, 18 May 1996 13:14:01 -0700 (PDT) Received: (from uucp@localhost) by lilly.ping.de (8.7.3/8.7.3/PING-1.0A) with UUCP id WAA00670; Sat, 18 May 1996 22:00:12 +0200 Received: from localhost (localhost [127.0.0.1]) by infinity.ping.de (8.6.12/8.6.12) with SMTP id VAA00672; Sat, 18 May 1996 21:51:10 +0200 Message-Id: <199605181951.VAA00672@infinity.ping.de> X-Authentication-Warning: infinity.ping.de: Host localhost didn't use HELO protocol X-Mailer: exmh version 1.6.6 3/24/96 To: Dan Polivy cc: freebsd-hackers@freebsd.org Subject: Re: SECURITY BUG in FreeBSD (fwd) In-reply-to: Your message of "Fri, 17 May 1996 19:06:03 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 18 May 1996 21:51:10 +0200 From: Andre Grosse Bley Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > export PATH=/tmp:$PATH #if zsh, of course > echo /bin/sh >/tmp/modload > chmod +x /tmp/modload > mount_union /dir1 /dir2 > and You are root! I think this one is easy to fix: edit /usr/src/lib/libc/gen/getvfsent.c In vfsload() you'll see following code: status = execlp("modload", "modload", "-e", name_mod, "-o", name_mod, "-u", "-q", path, (const char *)0); I replaced it by: status = execlp("/sbin/modload", "/sbin/modload", "-e", name_mod, "-o", name_mod, "-u", "-q", path, (const char *)0); rebuilt libc (and INSTALLED!) after that. And don't forget to rebuild /sbin/mount_union (and mount_msdos, both are setuid) This fixes the bug for me, i hope i didn't made any mistakes. Anyone could tell me if that's ok? BTW: Easier is to remove setuid bit from mount_union (and msdos, both are setuid!) -- Regards, Andre