*BSD News Article 2706


Return to BSD News archive

Path: sserve!manuel!munnari.oz.au!spool.mu.edu!sgiblab!sdd.hp.com!wupost!uunet!ogicse!plains!tinguely@plains.NoDak.edu
From: tinguely@plains.NoDak.edu (Mark Tinguely)
Newsgroups: comp.unix.bsd
Subject: Re: Questions/problems with 386BSD 0.1
Message-ID: <19427@plains.NoDak.edu>
Date: 29 Jul 92 22:19:54 GMT
Article-I.D.: plains.19427
References: <1992Jul29.042244.29277@umbc3.umbc.edu>
Sender: Unknown@plains.NoDak.edu
Organization: North Dakota State University
Lines: 35
Nntp-Posting-Host: plains.nodak.edu

In article <1992Jul29.042244.29277@umbc3.umbc.edu> cs481a07@umbc5.umbc.edu (cs481a07) writes:

>problem 3: I noticed that anyone could run shutdown. the permissions were
>
>-rwsr-x--- owner root group operator. I changed the permissions to
>-r-x------ and anyone can still run it. (you get the shutdown: NOT super-user)

 This is a big security hole. In 0.0, a VOP_ACCESS was used, but root always
 succeeds (and tries to execute anything). But the check for a single execute
 bit it wrong too. I put the VOP_ACCESS back but also checked to make sure
 at least one execute bit is on before root can execute the file. I also
 checked if the filesystem was mount for execution:

*** kern_execve.c	Wed Jul 29 14:48:13 1992
--- kern_execve.c.orig	Wed Jul  8 19:07:57 1992
***************
*** 120,129 ****
  		goto exec_fail;
  
  	/* is it executable, and a regular file? */
!         if ((ndp->ni_vp->v_mount->mnt_flag & MNT_NOEXEC) ||
! 	   (VOP_ACCESS(ndp->ni_vp, VEXEC, p->p_ucred, p)) ||
! 	   ((attr.va_mode & 0111) == 0) ||
! 	   (attr.va_type != VREG)) {
  		rv = EACCES;
  		goto exec_fail;
  	}
--- 120,126 ----
  		goto exec_fail;
  
  	/* is it executable, and a regular file? */
! 	if ((attr.va_mode & VEXEC) == 0 || attr.va_type != VREG) {
  		rv = EACCES;
  		goto exec_fail;
  	}