From owner-freebsd-security  Tue Apr 25 22:10:28 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id WAA06896
          for security-outgoing; Tue, 25 Apr 1995 22:10:28 -0700
Received: from bunyip.cc.uq.oz.au (bunyip.cc.uq.oz.au [130.102.2.1])
          by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id WAA06888
          for <freebsd-security@freebsd.org>; Tue, 25 Apr 1995 22:10:20 -0700
Received: from s1.elec.uq.oz.au by bunyip.cc.uq.oz.au with SMTP (PP);
          Wed, 26 Apr 1995 15:09:58 +1000
Received: from s4 (s4.elec.uq.oz.au) by s1.elec.uq.oz.au (4.0/SMI-4.0) 
          id AA15058; Wed, 26 Apr 95 15:09:34 EST
From: clary@elec.uq.oz.au (Clary Harridge)
Message-Id: <9504260509.AA15058@s1.elec.uq.oz.au>
Subject: DISKLESS users become root
To: freebsd-security@FreeBSD.org
Date: Wed, 26 Apr 1995 15:08:47 +1000 (EST)
X-Mailer: ELM [version 2.4 PL22]
Content-Type: text
Content-Length: 760
Sender: security-owner@FreeBSD.org
Precedence: bulk

Users on any DISKLESS client can become root during the boot sequence.

I have diskless clients booting off a FreeBSD file server and find that

Pressing CTRLC just after the last NFS mount and before the "autoreboot"
message causes

init: /bin/sh on /etc/rc terminated abnormally, going to single user mode
Enter pathname of shell or RETURN for sh:

then

RETURN gives a root shell.

The state of the /etc/ttys file is not being checked for whether the 
console is secure (or not) and the user is NOT prompted for a root
password.

Has anyone a cure for this problem?

-- 
regards			Dept. of Electrical Engineering,
Clary Harridge		University of Queensland, QLD, Australia, 4072
			Phone: +61-7-365-3636	Fax:   +61-7-365-4999
			INTERNET: clary@elec.uq.oz.au