COMMAND mount_union SYSTEMS AFFECTED FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current PROBLEM A bug was found in the union file system code which can allow an unprivileged local user to compromise system stability. This problem is present in all source code and binary distributions of FreeBSD version 2.x released before 1996-05-18. The union filesystem code had problems with certain mount ordering problems. By executing a certain sequence of mount_union commands, an unprivileged local user may cause a system reload. The problem could allow local users to compromise system stability. This vulnerability can only be exploited by users with a valid account on the local system. to crash system (as a normal user) try this: mkdir a mkdir b mount_union ~/a ~/b mount_union -b ~/a ~/b to got euid try this: export PATH=/tmp:$PATH echo /bin/sh >/tmp/modload chmod +x /tmp/modload mount_union /dir1 /dir2 SOLUTION The FreeBSD project is currently developing a solution to this problem, however the proper solution will not be available until a future FreeBSD release. We do not anticipate releasing patches for previous versions of FreeBSD due to the extensive nature of this fix. This security advisory will be updated as new information is made available. This vulnerability can quickly and easily be limited by removing the setuid permission bit from the mount_union program. This workaround will work for all versions of FreeBSD affected by this problem. As root, execute the command: % chmod u-s /sbin/mount_union then verify that the setuid permissions of the files have been removed. The permissions array should read "-r-xr-xr-x" as shown here: % ls -l /sbin/mount_union -r-xr-xr-x 1 root bin 53248 Apr 26 04:40 /sbin/mount_union In addition to changing the permissions on the executable files, if you have the source code installed, we suggest patching the sources so that mount_union will not be installed with the setuid bit set.