diff options
author | Kirk McKusick <mckusick@FreeBSD.org> | 2003-03-02 08:07:57 +0000 |
---|---|---|
committer | Kirk McKusick <mckusick@FreeBSD.org> | 2003-03-02 08:07:57 +0000 |
commit | 6d540f813749ed04d37d9738cd58bbea6c4ee2ad (patch) | |
tree | 2ddbcc07d94edbd92ed1f375bc1f47ae6aac0c4a /sbin/mksnap_ffs | |
parent | 491081fabfefa9454efb8930b2de7a36a6a36703 (diff) | |
download | src-6d540f813749ed04d37d9738cd58bbea6c4ee2ad.tar.gz src-6d540f813749ed04d37d9738cd58bbea6c4ee2ad.zip |
Close out a possible race where anybody in group operator could
chown an arbitrary file to operator.
Reported by: Ian Dowse <iedowse@maths.tcd.ie>
Sponsored by: DARPA & NAI Labs.
Notes
Notes:
svn path=/head/; revision=111725
Diffstat (limited to 'sbin/mksnap_ffs')
-rw-r--r-- | sbin/mksnap_ffs/mksnap_ffs.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/sbin/mksnap_ffs/mksnap_ffs.c b/sbin/mksnap_ffs/mksnap_ffs.c index 8f33cde47471..1c3fb613e0aa 100644 --- a/sbin/mksnap_ffs/mksnap_ffs.c +++ b/sbin/mksnap_ffs/mksnap_ffs.c @@ -41,6 +41,7 @@ #include <ufs/ufs/ufsmount.h> #include <err.h> #include <errno.h> +#include <fcntl.h> #include <grp.h> #include <stdio.h> #include <stdlib.h> @@ -62,6 +63,8 @@ main(int argc, char **argv) const char *dir; struct ufs_args args; struct group *grp; + struct stat stbuf; + int fd; if (argc != 3) usage(); @@ -73,9 +76,15 @@ main(int argc, char **argv) errx(1, "Cannot retrieve operator gid"); if (mount("ffs", dir, MNT_UPDATE | MNT_SNAPSHOT, &args) < 0) err(1, "Cannot create %s", args.fspec); - if (chown(args.fspec, -1, grp->gr_gid) != 0) + if ((fd = open(args.fspec, O_RDONLY)) < 0) + err(1, "Cannot open %s", args.fspec); + if (fstat(fd, &stbuf) != 0) + err(1, "Cannot stat %s", args.fspec); + if ((stbuf.st_flags & SF_SNAPSHOT) == 0) + errx(1, "File %s is not a snapshot", args.fspec); + if (fchown(fd, -1, grp->gr_gid) != 0) err(1, "Cannot chown %s", args.fspec); - if (chmod(args.fspec, S_IRUSR | S_IRGRP) != 0) + if (fchmod(fd, S_IRUSR | S_IRGRP) != 0) err(1, "Cannot chmod %s", args.fspec); exit(EXIT_SUCCESS); |