From owner-freebsd-bugs Thu Jun 20 9:50:15 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 9002F37B404 for ; Thu, 20 Jun 2002 09:50:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g5KGo1x24179; Thu, 20 Jun 2002 09:50:01 -0700 (PDT) (envelope-from gnats) Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117]) by hub.freebsd.org (Postfix) with ESMTP id 8E96F37B480 for ; Thu, 20 Jun 2002 09:41:05 -0700 (PDT) Received: from www.freebsd.org (localhost [127.0.0.1]) by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g5KGf5hG051982 for ; Thu, 20 Jun 2002 09:41:05 -0700 (PDT) (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.12.2/8.12.2/Submit) id g5KGf5of051981; Thu, 20 Jun 2002 09:41:05 -0700 (PDT) Message-Id: <200206201641.g5KGf5of051981@www.freebsd.org> Date: Thu, 20 Jun 2002 09:41:05 -0700 (PDT) From: aeonflux To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: conf/39580: insecure default settings Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 39580 >Category: conf >Synopsis: insecure default settings >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Jun 20 09:50:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: aeonflux >Release: 4.6 release >Organization: none >Environment: 4.6 release >Description: By default in the install, when you have label create the drive partitions for you, a /tmp label is created however it is not mounted with the options "nofollowsymlinks" which would help stop race conditions. As well, /tmp is not mounted with nosuid, allowing suid bit binaries to execute from the tmp directory. Further reading from Kris Kennaway http://old.lwn.net/2000/1221/a/sec-tmp.php3 >How-To-Repeat: exploit any race condition, like the adobe pdf writer one for example. symlink a preditable file in /tmp to /etc/master.passwd, etc... you all know the drill. >Fix: edit /etc/fstab after installation and change the options to "rw,nosymfollow,nosuid" alter sysinstall to make those options default. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message