home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!ogicse!plains!tinguely@plains.NoDak.edu
- From: tinguely@plains.NoDak.edu (Mark Tinguely)
- Newsgroups: comp.unix.bsd
- Subject: Re: Questions/problems with 386BSD 0.1
- Message-ID: <19427@plains.NoDak.edu>
- Date: 29 Jul 92 22:19:54 GMT
- Article-I.D.: plains.19427
- References: <1992Jul29.042244.29277@umbc3.umbc.edu>
- Sender: Unknown@plains.NoDak.edu
- Organization: North Dakota State University
- Lines: 35
- Nntp-Posting-Host: plains.nodak.edu
-
- In article <1992Jul29.042244.29277@umbc3.umbc.edu> cs481a07@umbc5.umbc.edu (cs481a07) writes:
-
- >problem 3: I noticed that anyone could run shutdown. the permissions were
- >
- >-rwsr-x--- owner root group operator. I changed the permissions to
- >-r-x------ and anyone can still run it. (you get the shutdown: NOT super-user)
-
- This is a big security hole. In 0.0, a VOP_ACCESS was used, but root always
- succeeds (and tries to execute anything). But the check for a single execute
- bit it wrong too. I put the VOP_ACCESS back but also checked to make sure
- at least one execute bit is on before root can execute the file. I also
- checked if the filesystem was mount for execution:
-
- *** kern_execve.c Wed Jul 29 14:48:13 1992
- --- kern_execve.c.orig Wed Jul 8 19:07:57 1992
- ***************
- *** 120,129 ****
- goto exec_fail;
-
- /* is it executable, and a regular file? */
- ! if ((ndp->ni_vp->v_mount->mnt_flag & MNT_NOEXEC) ||
- ! (VOP_ACCESS(ndp->ni_vp, VEXEC, p->p_ucred, p)) ||
- ! ((attr.va_mode & 0111) == 0) ||
- ! (attr.va_type != VREG)) {
- rv = EACCES;
- goto exec_fail;
- }
- --- 120,126 ----
- goto exec_fail;
-
- /* is it executable, and a regular file? */
- ! if ((attr.va_mode & VEXEC) == 0 || attr.va_type != VREG) {
- rv = EACCES;
- goto exec_fail;
- }
-
