I'm sorry to clutter the list, but here is the same message in plain-text...I just realized I was composing in HTML, and the digests ignore HTML...
On Wed, 2008-05-14 at 13:26 -0400, Mark Tomich wrote: > Sorry, I failed to mention I've tested this on 2.1.11 and 2.3.3 and it > happens on both. > > On Wed, 2008-05-14 at 11:58 -0400, Mark Tomich wrote: > > > > My root filesystem is unionfs which combines a mounted squashfs > > image with an initially empty, read-write tmpfs. In this setup, an > > unprivileged user is permitted to modify (for instance) /etc/passwd > > (uid=0, gid=0, mode=644), this modified file is saved in the > > read-write branch, and then the user is not permitted to modify the > > file further (i.e. additional attempts by the unprivileged user to > > modify the file would result in the proper response of "permission > > denied"). If a user were to use this to edit /etc/sudoers, he could > > easily exploit this bug to grant himself unlimited system access. > > > > I'm guessing I'm not the only one out there who has a setup > > rather like this, so I'm hoping somebody else out there could help > > me verify this bug. > > > > Thanks, > > Mark Tomich
signature.asc
Description: This is a digitally signed message part
_______________________________________________ unionfs mailing list: http://unionfs.filesystems.org/ unionfs@mail.fsl.cs.sunysb.edu http://www.fsl.cs.sunysb.edu/mailman/listinfo/unionfs