By default in the install, when you have label create the drive partitions for you, a /tmp label is created however it is not mounted with the options "nofollowsymlinks" which would help stop race conditions. As well, /tmp is not mounted with nosuid, allowing suid bit binaries to execute from the tmp directory. Further reading from Kris Kennaway http://old.lwn.net/2000/1221/a/sec-tmp.php3 Fix: edit /etc/fstab after installation and change the options to "rw,nosymfollow,nosuid" alter sysinstall to make those options default. How-To-Repeat: exploit any race condition, like the adobe pdf writer one for example. symlink a preditable file in /tmp to /etc/master.passwd, etc... you all know the drill.
State Changed From-To: open->suspended Awaiting patch from someone to implement the proposed changes to sysinstall.
Responsible Changed From-To: freebsd-bugs->freebsd-sysinstall Over to maintainer(s)
sysinstall has been replaced by bsdinstall in FreeBSD 9.x. Closing.