>Number:         5106
>Category:       kern
>Synopsis:       recent chown(2) change dangerous in heterogenous nfs enviornment
>Confidential:   yes
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Mar  3 08:20:00 1998
>Last-Modified:
>Originator:     
>Organization:
>Release:        current - 1998/02
>Environment:
System: NetBSD pisarro.op.net 1.3C NetBSD 1.3C (PISARRO) #57: Wed Feb 18 09:41:24 EST 1998 jaw@pisarro.op.net:/usr/src/NetBSD-current/src/sys/arch/sparc/compile/PISARRO sparc


>Description:

the test as to whether we should actually change the owner of a file
was recently moved from "ufs_vnops.c/ufs_chown()" to
"vfs_syscalls.c/change_owner()"

consider the case of mounting a filesystem from a NetBSD-current based
box to a system not NetBSD-current based (either NetBSD-older, or any
non-NetBSD system):

I can now, as a non-privledged user on the 2nd system, chown(2) a
file mounted from the NetBSD-current box succesfully, as we now
take the following path through kernel-land:

	chown() -> sys_chown() -> change_owner() -> nfs_setattr() ---->
to the current box:
	nfsrv_setattr() -> ufs_setattr() -> ufs_chown()

the "don't let non-root people chown things" test is avoided completely.

this can be exploited to gain root privs.


>How-To-Repeat:

older % cd /dir-mounted-from-netbsd-current
older % cp /bin/sh .
older % chmod u+s sh
older % chown root:wheel sh
older % ls -lg sh
-rwsrwxr-x  1 root     wheel        6113 Mar  1 10:13 sh
older % ./sh
older #

[note: chown(8) does not permit users to run it, a simple c or perl
prog replacement will suffice]

>Fix:
	

place the test back in the ufs layer. security-holics would likely suggest
(and I'd agree with them) that the test should be done in *both* places.


>Audit-Trail:
>Unformatted: