From owner-freebsd-security  Fri Jun 23 06:28:13 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id GAA05915
          for security-outgoing; Fri, 23 Jun 1995 06:28:13 -0700
Received: from taurus.math.tau.ac.il (root@taurus.math.tau.ac.il [132.67.64.4])
          by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id GAA05909
          for <freebsd-security@freebsd.org>; Fri, 23 Jun 1995 06:28:05 -0700
Received: from sirius.math.tau.ac.il (adam@sirius.math.tau.ac.il [132.67.64.5]) by taurus.math.tau.ac.il (8.6.10/math) with ESMTP id QAA24245 for <freebsd-security@freebsd.org>; Fri, 23 Jun 1995 16:26:18 +0300
Received: (adam@localhost) by sirius.math.tau.ac.il (8.6.9/8.6.9) id QAA29560; Fri, 23 Jun 1995 16:26:17 +0300
From: adam@math.tau.ac.il (adam)
To: freebsd-security@freebsd.org
Subject: mountd/nonroot mounts
Date: Thu, 22 Jun 1995 22:18:11 +0000
Organization: Things that make you go B00M
Message-ID: <jwe6vMx524ML083yn@math.tau.ac.il>
X-Mailer: YARN 0.83/0.20B
X-Ooga: Booga
Lines: 11
Sender: security-owner@freebsd.org
Precedence: bulk


Something about mountd... whether -n is specified in the
command line or not, nonroot mounts are honored.  To check
if a request is coming from root or not, it checks the
(easily forged) AUTH_UNIX structure instead of the (less
easily forged) source port of the client.  Since the
kernel nfs server doesn't do any check of caller priveleges,
that may be all an attacker needs.


adam?