Subject: kern/606: mount_ados/adosfs insecure
To: None <firstname.lastname@example.org>
From: Chris G. Demetriou <cgd@NetBSD.ORG>
Date: 12/03/1994 15:50:07
>Synopsis: mount_ados allows anybody to mount an ados fs anywhere.
>Responsible: gnats-admin (Kernel Bug People)
>Arrival-Date: Sat Dec 3 15:50:04 1994
>Originator: Chris G. Demetriou
Kernel Hackers 'r' Us
System: NetBSD sun-lamp.cs.berkeley.edu 1.0 NetBSD 1.0 (SUN_LAMP) #9: Sun Nov 20 22:47:57 PST 1994 email@example.com:/e/mycroft/sys/arch/i386/compile/SUN_LAMP i386
(reported by Matthias Scheler <firstname.lastname@example.org>.)
mount_ados allows any user to mount any block device as an ados
file system, on any directory, because it's set-uid and a
set of important checks is ommitted from the adosfs mount code.
also, adosfs code doesn't set user-mount flag, so user can unmount
the file system.
as a random user:
mount_ados <block device> <dir>
where you don't necessarily have appropriate permissions on the
block device or the directory. (note that it works.)
(note that it fails)
"quick fix": chmod 555 /sbin/mount_ados
correct fix: clone the permissions checking code out of msdosfs,
so that permissions are correctly checked for ados filee
systems. also, properly set the user-mount flag, and
make sure the adosfs unmount code does the right thing.
I would do it myself, but i have absolutely no hope of testing it.