Date: Thu, 20 Jun 2002 07:00:36 -0700 (PDT) From: Vasil Dimov <vd@etrade.bg> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/39573: uid 0 check in install.sh in 4.6-disc1.iso can be circumvented Message-ID: <200206201400.g5KE0aUC034406@www.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 39573
>Category: bin
>Synopsis: uid 0 check in install.sh in 4.6-disc1.iso can be circumvented
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jun 20 07:10:03 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Vasil Dimov
>Release: 4.6-STABLE
>Organization:
eTrade.bg
>Environment:
FreeBSD vihren.etrade.xx 4.6-STABLE FreeBSD 4.6-STABLE #0: Mon Jun 17 15:38:29 EEST 2002 root@vihren.etrade.xx:/usr/src/sys/compile/VIHREN i386
>Description:
all the scripts named install.sh in the 4.6-disc1.iso
MD5 (4.6-disc1.iso) = 99666e6f33820af3b060734203202e35
use the same check to ensure the caller is uid 0:
if [ "`id -u`" != "0" ]; then
echo "Sorry, this must be done as root."
exit 1
fi
which can be easily passed by nonuid0 users, probably
causing "Permission denied" in the following commands.
if this check is needed at all it should be fixatored
to something more unpassable.
>How-To-Repeat:
assuming we are in the cdrom root dir
$ ./bin/install.sh
Sorry, this must be done as root.
$
$ echo "echo 0" > ~/bin/id
$ chmod 700 ~/bin/id
$ export PATH=~/bin:$PATH
$ ./bin/install.sh
You are about to extract the base distribution into / - are you SURE
you want to do this over your installed system (y/n)? n
$
>Fix:
`id -u`
should be changed to:
`/usr/bin/id -u`
this is not so obviously to pass, yeah
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206201400.g5KE0aUC034406>