From proff Thu Aug 22 10:58:50 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id KAA31071 for best-of-security; Thu, 22 Aug 1996 10:58:50 +1000 Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id GAA14934 for ; Thu, 22 Aug 1996 06:03:50 +1000 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <24642-5637>; Wed, 21 Aug 1996 15:57:53 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id PAA09673; Wed, 21 Aug 1996 15:55:53 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 283117 for BUGTRAQ@NETSPACE.ORG; Wed, 21 Aug 1996 15:47:05 -0400 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id PAA07430 for ; Wed, 21 Aug 1996 15:32:33 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from dfw.dfw.net (dfw.dfw.net [198.175.15.10]) by netspace.org (8.7/8.6.12) with SMTP id MAA24455 for ; Wed, 21 Aug 1996 12:54:36 -0400 Received: from localhost by dfw.dfw.net (4.1/SMI-4.1) id AA04416; Wed, 21 Aug 96 11:53:45 CDT X-Received: from marmoset.cv.nrao.edu by dfw.dfw.net (4.1/SMI-4.1) id AA17701; Wed, 21 Aug 96 08:17:36 CDT X-Received: from tarsier.cv.nrao.edu (majdom@tarsier.cv.nrao.edu [192.33.115.50]) by marmoset.cv.nrao.edu (8.6.12/$Revision: 3.23 $) with ESMTP id GAA20774; Wed, 21 Aug 1996 06:05:03 -0400 X-Received: (from majdom@localhost) by tarsier.cv.nrao.edu (8.6.13/$Revision: 2.10 $) id GAA01011; Wed, 21 Aug 1996 06:05:01 -0400 X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: list Approved-By: Aleph One Message-ID: <199608202319.TAA28838@hcs.harvard.edu> Date: Wed, 21 Aug 1996 11:53:36 -0500 Reply-To: Bugtraq List Sender: proff From: David Holland Subject: [linux-security] smbmount (and ncpmount?) X-cc: linux-kernel@vger.rutgers.edu To: Multiple recipients of list BUGTRAQ smbmount has half a dozen possible buffer overruns. It also execs modprobe setuid root; I believe this is likely to be a significant hazard. Patches have been sent to the maintainer. There's a more serious problem that more or less has to affect ncpmount and any other similar program: there's a race condition between when the mount point is checked for permission and when the mount is performed. Thus anyone can mount shares anywhere by playing symlink games, and of course become root about ten seconds later. This problem cannot be fixed without updating the kernel - either the permission check needs to be moved into the kernel, or the mount point needs to be passed to the kernel as a fd instead of a pathname. Myself, I prefer moving the permission check into the kernel; Ultrix supported user NFS mounts that way long, long ago. Recommendation: chmod -s smbmount and smbumount, and probably ncpmount too. -- - David A. Holland | Number of words in the English language that dholland@hcs.harvard.edu | exist because of typos or misreadings: 381