Unprivileged user can write to mbr

Ruben de Groot mail25 at bzerk.org
Mon Dec 6 08:05:29 PST 2004


I'm having trouble rationalizing the behaviour described below. Is this
a security-issue (bug) or a feature?
(this is 5-STABLE, oct 26, 2004)

- An unprivileged user 'bztest' with read-only access to /dev/ar0:

uid=1004(bztest) gid=1004(test) groups=1004(test), 5(operator)
%ls -l /dev/ar0
crw-r-----  1 root  operator    4,  21 Nov 23 17:34 /dev/ar0

- Now, the device ar0 has the standard mbr installed:

%cmp /dev/ar0 /boot/mbr
/dev/ar0 /boot/mbr differ: char 447, line 1

- The boot0cfg program does not have any setuid bits:

%ls -l /usr/sbin/boot0cfg
-r-xr-xr-x  1 root  wheel  7940 Oct 26 22:47 /usr/sbin/boot0cfg

- The test user now uses boot0cfg to install the boot0 bootblock:

%boot0cfg -B -b /boot/boot0 /dev/ar0
%cmp /dev/ar0 /boot/mbr
/dev/ar0 /boot/mbr differ: char 13, line 1
%cmp /dev/ar0 /boot/boot0
/dev/ar0 /boot/boot0 differ: char 447, line 5

Can somebody explain this?

Ruben de Groot

More information about the freebsd-questions mailing list