Subject: kern/606: mount_ados/adosfs insecure
To: None <>
From: Chris G. Demetriou <cgd@NetBSD.ORG>
List: netbsd-bugs
Date: 12/03/1994 15:50:07
>Number:         606
>Category:       kern
>Synopsis:       mount_ados allows anybody to mount an ados fs anywhere.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Dec  3 15:50:04 1994
>Originator:     Chris G. Demetriou
Kernel Hackers 'r' Us
>Release:        1.0A
System: NetBSD 1.0 NetBSD 1.0 (SUN_LAMP) #9: Sun Nov 20 22:47:57 PST 1994 i386

	(reported by Matthias Scheler <>.)

	mount_ados allows any user to mount any block device as an ados
	file system, on any directory, because it's set-uid and a
	set of important checks is ommitted from the adosfs mount code.

	also, adosfs code doesn't set user-mount flag, so user can unmount
	the file system.

	as a random user:

	mount_ados <block device> <dir>
	where you don't necessarily have appropriate permissions on the
	block device or the directory.  (note that it works.)

	umount <dir>
	(note that it fails)

	"quick fix": chmod 555 /sbin/mount_ados
	correct fix: clone the permissions checking code out of msdosfs,
		so that permissions are correctly checked for ados filee
		systems.  also, properly set the user-mount flag, and
		make sure the adosfs unmount code does the right thing.

	I would do it myself, but i have absolutely no hope of testing it.