From owner-freebsd-bugs Thu Jun 20 7:10:20 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id DE05D37B406 for ; Thu, 20 Jun 2002 07:10:03 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g5KEA3E93095; Thu, 20 Jun 2002 07:10:03 -0700 (PDT) (envelope-from gnats) Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117]) by hub.freebsd.org (Postfix) with ESMTP id 77B4237B404 for ; Thu, 20 Jun 2002 07:00:37 -0700 (PDT) Received: from www.freebsd.org (localhost [127.0.0.1]) by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g5KE0ahG034407 for ; Thu, 20 Jun 2002 07:00:36 -0700 (PDT) (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.12.2/8.12.2/Submit) id g5KE0aUC034406; Thu, 20 Jun 2002 07:00:36 -0700 (PDT) Message-Id: <200206201400.g5KE0aUC034406@www.freebsd.org> Date: Thu, 20 Jun 2002 07:00:36 -0700 (PDT) From: Vasil Dimov To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: bin/39573: uid 0 check in install.sh in 4.6-disc1.iso can be circumvented Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 39573 >Category: bin >Synopsis: uid 0 check in install.sh in 4.6-disc1.iso can be circumvented >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jun 20 07:10:03 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Vasil Dimov >Release: 4.6-STABLE >Organization: eTrade.bg >Environment: FreeBSD vihren.etrade.xx 4.6-STABLE FreeBSD 4.6-STABLE #0: Mon Jun 17 15:38:29 EEST 2002 root@vihren.etrade.xx:/usr/src/sys/compile/VIHREN i386 >Description: all the scripts named install.sh in the 4.6-disc1.iso MD5 (4.6-disc1.iso) = 99666e6f33820af3b060734203202e35 use the same check to ensure the caller is uid 0: if [ "`id -u`" != "0" ]; then echo "Sorry, this must be done as root." exit 1 fi which can be easily passed by nonuid0 users, probably causing "Permission denied" in the following commands. if this check is needed at all it should be fixatored to something more unpassable. >How-To-Repeat: assuming we are in the cdrom root dir $ ./bin/install.sh Sorry, this must be done as root. $ $ echo "echo 0" > ~/bin/id $ chmod 700 ~/bin/id $ export PATH=~/bin:$PATH $ ./bin/install.sh You are about to extract the base distribution into / - are you SURE you want to do this over your installed system (y/n)? n $ >Fix: `id -u` should be changed to: `/usr/bin/id -u` this is not so obviously to pass, yeah >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message