Return to BSD News archive
Path: sserve!manuel!munnari.oz.au!spool.mu.edu!sgiblab!sdd.hp.com!wupost!uunet!ogicse!plains!tinguely@plains.NoDak.edu From: tinguely@plains.NoDak.edu (Mark Tinguely) Newsgroups: comp.unix.bsd Subject: Re: Questions/problems with 386BSD 0.1 Message-ID: <19427@plains.NoDak.edu> Date: 29 Jul 92 22:19:54 GMT Article-I.D.: plains.19427 References: <1992Jul29.042244.29277@umbc3.umbc.edu> Sender: Unknown@plains.NoDak.edu Organization: North Dakota State University Lines: 35 Nntp-Posting-Host: plains.nodak.edu In article <1992Jul29.042244.29277@umbc3.umbc.edu> cs481a07@umbc5.umbc.edu (cs481a07) writes: >problem 3: I noticed that anyone could run shutdown. the permissions were > >-rwsr-x--- owner root group operator. I changed the permissions to >-r-x------ and anyone can still run it. (you get the shutdown: NOT super-user) This is a big security hole. In 0.0, a VOP_ACCESS was used, but root always succeeds (and tries to execute anything). But the check for a single execute bit it wrong too. I put the VOP_ACCESS back but also checked to make sure at least one execute bit is on before root can execute the file. I also checked if the filesystem was mount for execution: *** kern_execve.c Wed Jul 29 14:48:13 1992 --- kern_execve.c.orig Wed Jul 8 19:07:57 1992 *************** *** 120,129 **** goto exec_fail; /* is it executable, and a regular file? */ ! if ((ndp->ni_vp->v_mount->mnt_flag & MNT_NOEXEC) || ! (VOP_ACCESS(ndp->ni_vp, VEXEC, p->p_ucred, p)) || ! ((attr.va_mode & 0111) == 0) || ! (attr.va_type != VREG)) { rv = EACCES; goto exec_fail; } --- 120,126 ---- goto exec_fail; /* is it executable, and a regular file? */ ! if ((attr.va_mode & VEXEC) == 0 || attr.va_type != VREG) { rv = EACCES; goto exec_fail; }