COMMAND
	    kernel (umapfs)
SYSTEMS AFFECTED
	    NetBSD
PROBLEM
	    Following  is  based  on  NetBSD  Security Advisory.  Insufficient
	    kernel checking  in the  umapfs virtual  file system  allows local
	    users to remap their user id to any other user including the  root
	    user.  umapfs is enabled  in the default (GENERIC) kernel  for the
	    following  ports:   amiga,  arm32,  atari,  bebox,  i386,  mac68k,
	    macppc, newsmips, next68k,  next68k, ofppc, pmax,  sparc, sparc64,
	    vax, x68k.   The alpha,  hp300, mvme68k,  pc532 and  sun3 ports do
	    not include umapfs by default.
	    umapfs creates a  null layer, duplicating  a sub-tree of  the file
	    system name space  under another part  of the global  file system,
	    with uid/gid remapping.   The uid and  gid mappings are  described
	    in  two  files  supplied  by  the  user  to mount_umap(8).  When a
	    umapfs mount is  attempted, no additional  checks are done  in the
	    kernel other than the usual checks: the user must be root, or have
	    read access of the  target and be owner  of the mount point.   The
	    only  permission  checks  made  were  erroneously  placed  in  the
	    mount_umap(8) command.   A malicious  user can  compile their  own
	    mount_umap binary that does not  include these checks.  With  this
	    modified  mount_umap  a  user  can  mount any directory on another
	    directory they have  write access to  with their uid  mapped to 0.
	    They will then have be able to create and modify root owned  files
	    in the source  directory, including the  ability to create  setuid
	    root binaries.
	    Thanks go to Manuel Bouyer for the discovery and solution for this
	    problem.
SOLUTION
	    A patch is available for  the NetBSD 1.3.3 which restricts  umapfs
	    mounts to root  and fixes the  above problem.   You may find  this
	    patch on the NetBSD ftp server:
	
	        ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19990311-umapfs
	
	    NetBSD-current  since  19990312  is  not  vulnerable.   Users   of
	    NetBSD-current  should  upgrade  to  a  source  tree  later   than
	    19990312.   If neither  of the  above can  be performed,  a simple
	    work around is to remove umapfs from your kernel configuration and
	    rebuild a kernel.  For this you need to remove or comment out  the
	    line:
	
	        file-system     UMAPFS          # NULLFS + uid and gid remapping
	
	    in  the  configuration  file.   See  these URL's for documentation
	    building a NetBSD kernel:
	
	        http://www.NetBSD.ORG/Documentation/kernel/index.html#downloading_kernel_source
	        http://www.NetBSD.ORG/Documentation/kernel/index.html#building_a_kernel