Re: nfs_mount in AIX

der Mouse (mouse@Collatz.McRCIM.McGill.EDU)
Wed, 26 Apr 1995 08:04:09 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dave Williss: "Good Times "virus" question"
Previous message: rick@msc.cornell.edu: "Re: nfs_mount in AIX"
Maybe in reply to: rick@msc.cornell.edu: "nfs_mount in AIX"
Next in thread: Quentin Fennessy: "Re: nfs_mount in AIX"

>> It appears that the completely undocumented routine 'nfs_mount' can
>> be used by a non-root user to mount a daemon on a directory ala NFS.
>> It seems to me that this is a very nasty security hole.
> Here's a little additional information.....  the nfs_mount routine
> does its work through the vmount() system call, which is documented.
> If this is a security hole at all, then it's because it would let an
> attacker mount a remote filesystem under his control onto a
> world-readable directory like /tmp or /var/preserve, and thereby grab
> a copy of everything that was written to that directory.

I don't have access to AIX, so I can't read the vmount() docs, so this
may be a non-issue...but unless it enforces "nosuid,nodev" for non-root
mounts, there are much greater problems - like someone mounting a
filesystem providing suid executables, or device special files with
permissive mode bits.  (Note that if, as the first message implies,
vmount() allows the mounting of a daemon on a directory, then these
executables and/or special files do not have to actually exist
anywhere; root access on another machine is not needed.)

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu

Next message: Dave Williss: "Good Times "virus" question"
Previous message: rick@msc.cornell.edu: "Re: nfs_mount in AIX"
Maybe in reply to: rick@msc.cornell.edu: "nfs_mount in AIX"
Next in thread: Quentin Fennessy: "Re: nfs_mount in AIX"