Return to BSD News archive
Path: sserve!manuel!munnari.oz.au!spool.mu.edu!sgiblab!sdd.hp.com!wupost!uunet!ogicse!plains!tinguely@plains.NoDak.edu
From: tinguely@plains.NoDak.edu (Mark Tinguely)
Newsgroups: comp.unix.bsd
Subject: Re: Questions/problems with 386BSD 0.1
Message-ID: <19427@plains.NoDak.edu>
Date: 29 Jul 92 22:19:54 GMT
Article-I.D.: plains.19427
References: <1992Jul29.042244.29277@umbc3.umbc.edu>
Sender: Unknown@plains.NoDak.edu
Organization: North Dakota State University
Lines: 35
Nntp-Posting-Host: plains.nodak.edu
In article <1992Jul29.042244.29277@umbc3.umbc.edu> cs481a07@umbc5.umbc.edu (cs481a07) writes:
>problem 3: I noticed that anyone could run shutdown. the permissions were
>
>-rwsr-x--- owner root group operator. I changed the permissions to
>-r-x------ and anyone can still run it. (you get the shutdown: NOT super-user)
This is a big security hole. In 0.0, a VOP_ACCESS was used, but root always
succeeds (and tries to execute anything). But the check for a single execute
bit it wrong too. I put the VOP_ACCESS back but also checked to make sure
at least one execute bit is on before root can execute the file. I also
checked if the filesystem was mount for execution:
*** kern_execve.c Wed Jul 29 14:48:13 1992
--- kern_execve.c.orig Wed Jul 8 19:07:57 1992
***************
*** 120,129 ****
goto exec_fail;
/* is it executable, and a regular file? */
! if ((ndp->ni_vp->v_mount->mnt_flag & MNT_NOEXEC) ||
! (VOP_ACCESS(ndp->ni_vp, VEXEC, p->p_ucred, p)) ||
! ((attr.va_mode & 0111) == 0) ||
! (attr.va_type != VREG)) {
rv = EACCES;
goto exec_fail;
}
--- 120,126 ----
goto exec_fail;
/* is it executable, and a regular file? */
! if ((attr.va_mode & VEXEC) == 0 || attr.va_type != VREG) {
rv = EACCES;
goto exec_fail;
}