>Number:         606
>Category:       kern
>Synopsis:       mount_ados allows anybody to mount an ados fs anywhere.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Dec  3 15:50:04 1994
>Originator:     Chris G. Demetriou
>Organization:
Kernel Hackers 'r' Us
>Release:        1.0A
>Environment:
	
System: NetBSD sun-lamp.cs.berkeley.edu 1.0 NetBSD 1.0 (SUN_LAMP) #9: Sun Nov 20 22:47:57 PST 1994 mycroft@sun-lamp.cs.berkeley.edu:/e/mycroft/sys/arch/i386/compile/SUN_LAMP i386


>Description:
	(reported by Matthias Scheler <tron@lyssa.owl.de>.)

	mount_ados allows any user to mount any block device as an ados
	file system, on any directory, because it's set-uid and a
	set of important checks is ommitted from the adosfs mount code.

	also, adosfs code doesn't set user-mount flag, so user can unmount
	the file system.

>How-To-Repeat:
	as a random user:

	mount_ados <block device> <dir>
	where you don't necessarily have appropriate permissions on the
	block device or the directory.  (note that it works.)

	umount <dir>
	(note that it fails)

>Fix:
	"quick fix": chmod 555 /sbin/mount_ados
	correct fix: clone the permissions checking code out of msdosfs,
		so that permissions are correctly checked for ados filee
		systems.  also, properly set the user-mount flag, and
		make sure the adosfs unmount code does the right thing.

	I would do it myself, but i have absolutely no hope of testing it.
>Audit-Trail:
>Unformatted: