[10509] in bugtraq
SunOS 5.7 rmmount, no nosuid.
daemon@ATHENA.MIT.EDU (Jonas Stahre)
Mon May 10 08:04:51 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.05.9905100836580.94142-100000@allevil.campus.luth.se>
Date: Mon, 10 May 1999 09:14:12 +0200
Reply-To: Jonas Stahre <yes@ALLEVIL.CAMPUS.LUTH.SE>
From: Jonas Stahre <yes@ALLEVIL.CAMPUS.LUTH.SE>
To: BUGTRAQ@NETSPACE.ORG
The man-page for rmmount under SunOS 5.7 says:
File systems mounted by rmmount are always mounted with the
nosuid flag set, thereby disabling set-uid programs and
access to block or character devices in that file system.
...this is unfortunately wrong.
All you have to do to get root-privileges is to insert a floppy/cdrom with
a setuid shell and a volcheck and an evil grin later you have a root
prompt.
There is a workaround that fix the problem, just add these lines to your
/etc/rmmount.conf:
mount hsfs -o nosuid
mount ufs -o nosuid
(I've also heard that using a SunOS 5.6 rmmount binary would fix the
problem, but I haven't tried it myself.)
I have only tested this on Ultra5 with floppies on SunOS 5.7, but I am
pretty sure it works on all SunOS 5.7 machines (with floppy and/or cdrom).
/Jonas Stahre
PS. Yes, I've talked to Sun about this some time ago. So I have gone
through the proper channels.
PPS. My signature says "/bin/sh" NOT "/bin/bash", ok?
#!/bin/sh -- # set i=echo;set I='u[Cu[Cu[C';set l="tr u \033";$L .-.
clear;cat $0;cat $0|sed '/D/d;s/L.*$/l/;s/.*# //;s/1/;71H/g'|csh -f;[ V ]
# while 2;$i "u[31/$I\u[21 $I "|$l;$i "u[31 $I u[21_${I}_"|$L (( ))
# end;$i "u[31 $I u[21\$I/"|$l;$i "u[21_${I}_"|$L -yes@ludd.luth.se- ^ ^