[10509] in bugtraq

home help back first fref pref prev next nref lref last post

SunOS 5.7 rmmount, no nosuid.

daemon@ATHENA.MIT.EDU (Jonas Stahre)
Mon May 10 08:04:51 1999

Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.05.9905100836580.94142-100000@allevil.campus.luth.se>
Date: 	Mon, 10 May 1999 09:14:12 +0200
Reply-To: Jonas Stahre <yes@ALLEVIL.CAMPUS.LUTH.SE>
From: Jonas Stahre <yes@ALLEVIL.CAMPUS.LUTH.SE>
To: BUGTRAQ@NETSPACE.ORG

The man-page for rmmount under SunOS 5.7 says:

     File systems mounted by rmmount  are always mounted with the
     nosuid  flag  set,  thereby  disabling  set-uid programs and
     access to block or character devices in  that  file  system.

...this is unfortunately wrong.

All you have to do to get root-privileges is to insert a floppy/cdrom with
a setuid shell and a volcheck and an evil grin later you have a root
prompt.

There is a workaround that fix the problem, just add these lines to your
/etc/rmmount.conf:

mount hsfs -o nosuid
mount ufs -o nosuid

(I've also heard that using a SunOS 5.6 rmmount binary would fix the
problem, but I haven't tried it myself.)

I have only tested this on Ultra5 with floppies on SunOS 5.7, but I am
pretty sure it works on all SunOS 5.7 machines (with floppy and/or cdrom).

  /Jonas Stahre

PS.  Yes, I've talked to Sun about this some time ago. So I have gone
     through the proper channels.
PPS. My signature says "/bin/sh" NOT "/bin/bash", ok?

#!/bin/sh -- # set i=echo;set I='u[Cu[Cu[C';set l="tr u \033";$L       .-.
clear;cat $0;cat $0|sed '/D/d;s/L.*$/l/;s/.*# //;s/1/;71H/g'|csh -f;[   V   ]
# while 2;$i "u[31/$I\u[21 $I "|$l;$i "u[31 $I u[21_${I}_"|$L         (( ))
# end;$i "u[31 $I u[21\$I/"|$l;$i "u[21_${I}_"|$L  -yes@ludd.luth.se-  ^ ^

home help back first fref pref prev next nref lref last post