Looks like I forgot an access check in DEVFS. I'll look at it tonight.
Poul-Henning
In message <[EMAIL PROTECTED]>, Alain Thivillon writes:
>There is a huge security hole in -CURRENT devfs, i don't known if this
>is a temporary issue or a 'real' bug:
>
>$ id
>uid=2089(yann) gid=2089(yann) groups=2089(yann)
>$ uname -a
>FreeBSD yoko.hsc.fr 5.0-CURRENT FreeBSD 5.0-CURRENT #57: Fri Sep 15
>13:36:26 CEST 2000 [EMAIL PROTECTED]:/usr/src/sys/compile/YOKO50
>i386
>$ df
>Filesystem 1K-blocks Used Avail Capacity Mounted on
>/dev/ad0s3a 6252604 5027631 724765 87% /
>devfs 1 1 0 100% /dev
>procfs 4 4 0 100% /proc
>$ ls -l /dev/null
>crw-rw-rw- 1 root wheel 2, 2 Sep 15 13:47 /dev/null
>$ chown yann /dev/null
>$ chown yann /dev/mem
>$ ls -l /dev/null
>crw-rw-rw- 1 yann wheel 2, 2 Sep 15 13:47 /dev/null
>$ chmod 600 /dev/null
>$ ls -l /dev/null
>crw------- 1 yann wheel 2, 2 Sep 15 13:47 /dev/null
>$ strings /dev/mem | head -10
>Read
>Boot
> error
>(TKT
>( CT
>(@;T
>((0S
>(,/S
>(l-S
>(d/S
>
> Every user can change all owners and perms on devfs files. I
>have verified that /dev/null permissions are REALLY changed (other users
>can not use him) and that Mem can REALLY be read by anyone.
>
> Did i miss something ? Strange that nobody reported it (my
>problems appeeared when procmail changed perms of /dev/null :))
>
>
>
>To Unsubscribe: send mail to [EMAIL PROTECTED]
>with "unsubscribe freebsd-current" in the body of the message
>
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
[EMAIL PROTECTED] | TCP/IP since RFC 956
FreeBSD coreteam member | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message