Date: Sat, 13 Jul 1996 19:23:00 +1000 From: Bruce Evans <bde@zeta.org.au> To: dlowe@best.com, security@freefall.freebsd.org Subject: Re: dump, rdump Message-ID: <199607130923.TAA18498@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help
> /sbin/dump and /sbin/rdump probably shouldn't be world-executable, as >they are in the default config of 2.1.0-STABLE. As far as I know, this >isn't a root-gaining problem, but any user can use: > /sbin/dump 0f $HOME/whatever /usr (or /var) >and parse the files created for interesting info. My biggest concern I think only users in group operator can do this. Otherwise opening of the raw disk fails. It is opened early but after setuid(getuid()). > So much for the bug description. Now my related questions. From main.c >in /usr/src/sbin/dump: > (void)setuid(getuid()); /* rmthost() is the only reason to be setuid */ > So it would appear that the program has reverted to the real user-id. >Why then is it able to read all files on /usr or /var? And yet can't open The fd for the disk would remain valid after the setuid(), so dump must be careful not to open the disk while it is root. It seems to be careful enough. Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607130923.TAA18498>