Bugtraq mailing list archives
Re: nfs_mount in AIX
From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Wed, 26 Apr 1995 08:04:09 -0400
It appears that the completely undocumented routine 'nfs_mount' can be used by a non-root user to mount a daemon on a directory ala NFS. It seems to me that this is a very nasty security hole.Here's a little additional information..... the nfs_mount routine does its work through the vmount() system call, which is documented. If this is a security hole at all, then it's because it would let an attacker mount a remote filesystem under his control onto a world-readable directory like /tmp or /var/preserve, and thereby grab a copy of everything that was written to that directory.
I don't have access to AIX, so I can't read the vmount() docs, so this may be a non-issue...but unless it enforces "nosuid,nodev" for non-root mounts, there are much greater problems - like someone mounting a filesystem providing suid executables, or device special files with permissive mode bits. (Note that if, as the first message implies, vmount() allows the mounting of a daemon on a directory, then these executables and/or special files do not have to actually exist anywhere; root access on another machine is not needed.) der Mouse mouse () collatz mcrcim mcgill edu
Current thread:
- Re: nfs_mount in AIX der Mouse (Apr 26)
- <Possible follow-ups>
- Re: nfs_mount in AIX Quentin Fennessy (Apr 26)
- Re: nfs_mount in AIX Asriel DeCatte (Apr 30)
- Re: nfs_mount in AIX Andrew Dawson (Apr 27)