From nobody@FreeBSD.org  Mon Jan 14 21:00:02 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 0373537B417
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 Jan 2002 21:00:02 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g0F501j53134;
	Mon, 14 Jan 2002 21:00:01 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200201150500.g0F501j53134@freefall.freebsd.org>
Date: Mon, 14 Jan 2002 21:00:01 -0800 (PST)
From: Russell Lahti <rjl@logicalhost.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: user uploading files somehow overwrote /dev/null
X-Send-Pr-Version: www-1.0

>Number:         33910
>Category:       misc
>Synopsis:       user uploading files somehow overwrote /dev/null
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 14 21:00:02 PST 2002
>Closed-Date:    Tue Jan 15 03:02:00 PST 2002
>Last-Modified:  Tue Jan 15 03:10:00 PST 2002
>Originator:     Russell Lahti
>Release:        4.4
>Organization:
Logical Web Hosting
>Environment:
FreeBSD srv4.logicalhost.com 4.4-RELEASE FreeBSD 4.4-RELEASE #12: Sun Sep 16 10:08:01 EDT 2001     root@srv4.logicalhost.com:/usr/src/sys/compile/LWH  i386
>Description:
      One of the users on one of our servers was uploading pictures to their website.  Somehow in the process he was able to over-write /dev/null to contain: "kill: 91410: No such process"

/dev/null was now owned by his username, and basically broke the
whole machine until I remade /dev/null.

%ls -al /dev/null
-rw-r--r--   1 username   usergroup        29 Jan  7 07:31 null

Nobody else had access to his username, and the only way he had
accessed the system was with an ftp client and the machine is running stock ftpd.  I checked all of my logs extensively and nothing seems to be out of place.  The ftp transfer log doesn't contain anything relating to that PID, but the time frame does fit exactly for when
the file was over-written:

Jan  7 00:28:34 srv4 ftpd[91324]: delete /usr/home/username/www/user.html
** file was over-written here**
Jan  7 00:28:48 srv4 ftpd[91609]: connection from internal (192.168.1.125)

>How-To-Repeat:
      I have been unable to repeat this situation on my own.  I apologize ahead of time for this, I figured this would be a good place to start because of the possible problems it may cause if it is found to be a true bug.
>Fix:
      
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Tue Jan 15 03:02:00 PST 2002 
State-Changed-Why:  
Believed to be either wrong ownership and/or permissions for 
the /dev/directory.  Alternatively, the unnamed server 
software could be running with the effective UID of root. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=33910 

From: Ruslan Ermilov <ru@FreeBSD.org>
To: Russell Lahti <rjl@logicalhost.com>
Cc: bug-followup@FreeBSD.org
Subject: Re: misc/33910: user uploading files somehow overwrote /dev/null
Date: Tue, 15 Jan 2002 13:01:54 +0200

 On Mon, Jan 14, 2002 at 09:00:01PM -0800, Russell Lahti wrote:
 > 
 > /dev/null was now owned by his username, and basically broke the
 > whole machine until I remade /dev/null.
 > 
 > %ls -al /dev/null
 > -rw-r--r--   1 username   usergroup        29 Jan  7 07:31 null
 > 
 > Nobody else had access to his username, and the only way he had
 > accessed the system was with an ftp client and the machine is running stock ftpd.  I checked all of my logs extensively and nothing seems to be out of place.  The ftp transfer log doesn't contain anything relating to that PID, but the time frame does fit exactly for when
 > the file was over-written:
 > 
 > Jan  7 00:28:34 srv4 ftpd[91324]: delete /usr/home/username/www/user.html
 > ** file was over-written here**
 > Jan  7 00:28:48 srv4 ftpd[91609]: connection from internal (192.168.1.125)
 > 
 An owner of the /dev directory (or any user that has write permission)
 may delete /dev/null entry and create a regular file in place of it.
 Please verify that the ownership and permissions are set correctly for
 /dev.
 
 
 Cheers,
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age
>Unformatted:
