vulnerability
FreeBSD: VID-2ed7e8db-e234-11ea-9392-002590bc43be: sysutils/openzfs-kmod -- critical permissions issues
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:S/C:C/I:C/A:N) | Aug 20, 2020 | Aug 21, 2020 | Dec 10, 2025 |
Severity
8
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:N)
Published
Aug 20, 2020
Added
Aug 21, 2020
Modified
Dec 10, 2025
Description
Andrew Walker reports: Issue 1: Users are always granted permissions to cd into a directory. The check for whether execute is present on directories is a de-facto no-op. This cannot be mitigated without upgrading. Even setting an explicit "deny - execute" NFSv4 ACE will be bypassed. Issue 2: All ACEs for the owner_group (group@) and regular groups (group:<foo>) are granted the current user. This means that POSIX mode 770 is de-facto 777, and the below ACL is also de-facto 777 because the groupmember check for builtin_administrators returns True. root@TESTBOX[~]# getfacl testfile # file: testfile # owner: root # group: wheel group:builtin_administrators:rwxpDdaARWcCos:-------:allow
Solution
freebsd-upgrade-package-openzfs-kmod
References
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.