COMMAND

    kernel (umapfs)

SYSTEMS AFFECTED

    NetBSD

PROBLEM

    Following  is  based  on  NetBSD  Security Advisory.  Insufficient
    kernel checking  in the  umapfs virtual  file system  allows local
    users to remap their user id to any other user including the  root
    user.  umapfs is enabled  in the default (GENERIC) kernel  for the
    following  ports:   amiga,  arm32,  atari,  bebox,  i386,  mac68k,
    macppc, newsmips, next68k,  next68k, ofppc, pmax,  sparc, sparc64,
    vax, x68k.   The alpha,  hp300, mvme68k,  pc532 and  sun3 ports do
    not include umapfs by default.

    umapfs creates a  null layer, duplicating  a sub-tree of  the file
    system name space  under another part  of the global  file system,
    with uid/gid remapping.   The uid and  gid mappings are  described
    in  two  files  supplied  by  the  user  to mount_umap(8).  When a
    umapfs mount is  attempted, no additional  checks are done  in the
    kernel other than the usual checks: the user must be root, or have
    read access of the  target and be owner  of the mount point.   The
    only  permission  checks  made  were  erroneously  placed  in  the
    mount_umap(8) command.   A malicious  user can  compile their  own
    mount_umap binary that does not  include these checks.  With  this
    modified  mount_umap  a  user  can  mount any directory on another
    directory they have  write access to  with their uid  mapped to 0.
    They will then have be able to create and modify root owned  files
    in the source  directory, including the  ability to create  setuid
    root binaries.

    Thanks go to Manuel Bouyer for the discovery and solution for this
    problem.

SOLUTION

    A patch is available for  the NetBSD 1.3.3 which restricts  umapfs
    mounts to root  and fixes the  above problem.   You may find  this
    patch on the NetBSD ftp server:

        ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19990311-umapfs

    NetBSD-current  since  19990312  is  not  vulnerable.   Users   of
    NetBSD-current  should  upgrade  to  a  source  tree  later   than
    19990312.   If neither  of the  above can  be performed,  a simple
    work around is to remove umapfs from your kernel configuration and
    rebuild a kernel.  For this you need to remove or comment out  the
    line:

        file-system     UMAPFS          # NULLFS + uid and gid remapping

    in  the  configuration  file.   See  these URL's for documentation
    building a NetBSD kernel:

        http://www.NetBSD.ORG/Documentation/kernel/index.html#downloading_kernel_source
        http://www.NetBSD.ORG/Documentation/kernel/index.html#building_a_kernel