Unprivileged user can write to mbr

Ruben de Groot mail25 at bzerk.org
Mon Dec 6 07:20:44 PST 2004


I forgot to mention:

%uname -a
FreeBSD ei.bzerk.org 5.3-STABLE FreeBSD 5.3-STABLE #56: Tue Oct 26 06:49:27 CEST 2004     root at ei.bzerk.org:/usr/build/usr/obj/usr/build/releng_5/usr/src/sys/SMP-EI  i386

On Mon, Dec 06, 2004 at 04:20:10PM +0100, Ruben de Groot typed:
> 
> Hi, 
> 
> I'm having trouble rationalizing the behaviour described below. Is this
> a security-issue (bug) or a feature?
> 
> - An unprivileged user 'bztest' with read-only access to /dev/ar0:
> 
> %id
> uid=1004(bztest) gid=1004(test) groups=1004(test), 5(operator)
> %ls -l /dev/ar0
> crw-r-----  1 root  operator    4,  21 Nov 23 17:34 /dev/ar0
> 
> - Now, the device ar0 has the standard mbr installed:
> 
> %cmp /dev/ar0 /boot/mbr
> /dev/ar0 /boot/mbr differ: char 447, line 1
> 
> - The boot0cfg program does not have any setuid bits:
> 
> %ls -l /usr/sbin/boot0cfg
> -r-xr-xr-x  1 root  wheel  7940 Oct 26 22:47 /usr/sbin/boot0cfg
> 
> - The test user now uses boot0cfg to install the boot0 bootblock:
> 
> %boot0cfg -B -b /boot/boot0 /dev/ar0
> %cmp /dev/ar0 /boot/mbr
> /dev/ar0 /boot/mbr differ: char 13, line 1
> %cmp /dev/ar0 /boot/boot0
> /dev/ar0 /boot/boot0 differ: char 447, line 5
> 
> Can somebody explain this?
> 
> thanks,
> Ruben de Groot
> 


More information about the freebsd-security mailing list