Bugtraq mailing list archives
a bug in IRIX open() as well [was Re: Possible SERIOUS bug in
From: mkienenb () arsc edu (Mike Kienenberger)
Date: Fri, 24 Oct 1997 11:48:22 -0800
As long as we're on the topic of broken open() calls, here's one I discovered last february in IRIX 6.2. Basically, if you have SGI NFS clients mounting filesystems from SGI NFS servers with "root-as-nobody" access (access= entry, but no root= entry), you can open() any regular file from the NFS client. You can't read it, but you can open it. Once you've opened it, this tends to corrupt the kernel file tables. Often this results in the following possibilities: - Root on the client can now read the file. - No one else can access the file. This continues until the machine is rebooted, thus it's most likely only a problem in the SGI NFS client side of the software. SGI did finally create Bug #465954, but I've been told that it's unlikely that it'll be fixed anytime soon. SGI's only response has been the following: "The only workaround at this time for Bug #465954 is to specify the root= option in /etc/exports. One of our lead engineer has stated in the bug report that this does not cause a security problem, so it should be safe for you to implement." The only useful workaround I've been able to determine is to make sure that any non-"root-as-nobody"-readable files are located in directories that are also not accessible by "root-as-nobody" so that this condition never pops up. -- Mike Kienenberger Arctic Region Supercomputing Center Systems Analyst (907) 474-6842 mkienenb () arsc edu http://www.arsc.edu
Current thread:
- Re: Possible SERIOUS bug in open()? Aleph One (Oct 23)
- a bug in IRIX open() as well [was Re: Possible SERIOUS bug in Mike Kienenberger (Oct 24)
- Vulnerability in metamail Alan Cox (Oct 24)
- Re: Possible SERIOUS bug in open()? Theo de Raadt (Oct 24)
- Re: Possible SERIOUS bug in open()? Theo de Raadt (Oct 24)
- Re: Possible SERIOUS bug in open()? Mark E. Mallett (Oct 24)
- Re: Possible SERIOUS bug in open()? Tim Newsham (Oct 25)
- Re: Possible SERIOUS bug in open()? Mark E. Mallett (Oct 25)
- SECURITY: metamail update (fwd) Raymond Dijkxhoorn (Oct 25)
- Re: Possible SERIOUS bug in open()? Tim Newsham (Oct 25)