Tom Fitzgerald writes: > Here's a little additional information..... the nfs_mount routine does its > work through the vmount() system call, which is documented. If this is a > security hole at all, then it's because it would let an attacker mount a > remote filesystem under his control onto a world-readable directory like > /tmp or /var/preserve, and thereby grab a copy of everything that was > written to that directory. Anybody want to write a test program? > > nfs_mount is in librpcsvc.a, but offers nothing beyond what vmount() gives > (since it's just a subroutine anyway) aside from a simpler interface. Sorry. I should have explained the general nature of the hole. If a non-root user can mount a daemon on a directory, he can somehow mount something which provides him with an SUID shell. As I said, I have a third-party package which can be abused in this way. Since the problem is not the fault of the third party, I am inclined not to reveal more detail as to what and who. -Rick -- |Rick Cochran 607-255-7223| |Cornell Materials Science Center rick@msc.cornell.edu| |E20 Clark Hall, Ithaca, N.Y. 14853 cornell!msc.cornell.edu!rick| | "Workstations - I bet you can't eat just one!" |