Date: Mon, 6 Dec 2004 16:22:59 +0100 From: Ruben de Groot <mail25@bzerk.org> To: freebsd-security@freebsd.org Subject: Re: Unprivileged user can write to mbr Message-ID: <20041206152259.GB4747@ei.bzerk.org> In-Reply-To: <20041206152010.GA4747@ei.bzerk.org> References: <20041206152010.GA4747@ei.bzerk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I forgot to mention: %uname -a FreeBSD ei.bzerk.org 5.3-STABLE FreeBSD 5.3-STABLE #56: Tue Oct 26 06:49:27 CEST 2004 root@ei.bzerk.org:/usr/build/usr/obj/usr/build/releng_5/usr/src/sys/SMP-EI i386 On Mon, Dec 06, 2004 at 04:20:10PM +0100, Ruben de Groot typed: > > Hi, > > I'm having trouble rationalizing the behaviour described below. Is this > a security-issue (bug) or a feature? > > - An unprivileged user 'bztest' with read-only access to /dev/ar0: > > %id > uid=1004(bztest) gid=1004(test) groups=1004(test), 5(operator) > %ls -l /dev/ar0 > crw-r----- 1 root operator 4, 21 Nov 23 17:34 /dev/ar0 > > - Now, the device ar0 has the standard mbr installed: > > %cmp /dev/ar0 /boot/mbr > /dev/ar0 /boot/mbr differ: char 447, line 1 > > - The boot0cfg program does not have any setuid bits: > > %ls -l /usr/sbin/boot0cfg > -r-xr-xr-x 1 root wheel 7940 Oct 26 22:47 /usr/sbin/boot0cfg > > - The test user now uses boot0cfg to install the boot0 bootblock: > > %boot0cfg -B -b /boot/boot0 /dev/ar0 > %cmp /dev/ar0 /boot/mbr > /dev/ar0 /boot/mbr differ: char 13, line 1 > %cmp /dev/ar0 /boot/boot0 > /dev/ar0 /boot/boot0 differ: char 447, line 5 > > Can somebody explain this? > > thanks, > Ruben de Groot >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041206152259.GB4747>