Unprivileged user can write to mbr
Ruben de Groot
mail25 at bzerk.org
Mon Dec 6 07:17:57 PST 2004
Hi,
I'm having trouble rationalizing the behaviour described below. Is this
a security-issue (bug) or a feature?
- An unprivileged user 'bztest' with read-only access to /dev/ar0:
%id
uid=1004(bztest) gid=1004(test) groups=1004(test), 5(operator)
%ls -l /dev/ar0
crw-r----- 1 root operator 4, 21 Nov 23 17:34 /dev/ar0
- Now, the device ar0 has the standard mbr installed:
%cmp /dev/ar0 /boot/mbr
/dev/ar0 /boot/mbr differ: char 447, line 1
- The boot0cfg program does not have any setuid bits:
%ls -l /usr/sbin/boot0cfg
-r-xr-xr-x 1 root wheel 7940 Oct 26 22:47 /usr/sbin/boot0cfg
- The test user now uses boot0cfg to install the boot0 bootblock:
%boot0cfg -B -b /boot/boot0 /dev/ar0
%cmp /dev/ar0 /boot/mbr
/dev/ar0 /boot/mbr differ: char 13, line 1
%cmp /dev/ar0 /boot/boot0
/dev/ar0 /boot/boot0 differ: char 447, line 5
Can somebody explain this?
thanks,
Ruben de Groot
More information about the freebsd-security
mailing list