[3240] in bugtraq
[linux-security] smbmount (and ncpmount?)
daemon@ATHENA.MIT.EDU (David Holland)
Wed Aug 21 15:56:22 1996
Date: Wed, 21 Aug 1996 11:53:36 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: David Holland <dholland@hcs.HARVARD.EDU>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
smbmount has half a dozen possible buffer overruns. It also execs
modprobe setuid root; I believe this is likely to be a significant
hazard. Patches have been sent to the maintainer.
There's a more serious problem that more or less has to affect
ncpmount and any other similar program: there's a race condition
between when the mount point is checked for permission and when the
mount is performed. Thus anyone can mount shares anywhere by playing
symlink games, and of course become root about ten seconds later.
This problem cannot be fixed without updating the kernel - either the
permission check needs to be moved into the kernel, or the mount point
needs to be passed to the kernel as a fd instead of a pathname.
Myself, I prefer moving the permission check into the kernel; Ultrix
supported user NFS mounts that way long, long ago.
Recommendation: chmod -s smbmount and smbumount, and probably ncpmount
too.
--
- David A. Holland | Number of words in the English language that
dholland@hcs.harvard.edu | exist because of typos or misreadings: 381
