From 4da6e3d109753f3d1c72110a6bca95aa43165522 Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Mon, 18 Sep 2000 16:13:02 +0000 Subject: o Substitute suser() calls for direct credential checks, which is now safe as suser() no longer sets ASU. o Note that in some cases, the PRISON_ROOT flag is used even though no process structure is passed, to indicate that if a process structure (and hence jail) was available, it would be ok. In the long run, the jail identifier should probably be moved to ucred, as the uidinfo information was. o Some uid 0 checks remain relating to the quota code, which I'll leave for another day. Reviewed by: phk, eivind Obtained from: TrustedBSD Project --- sys/ufs/ufs/ufs_lookup.c | 2 +- sys/ufs/ufs/ufs_quota.c | 4 ++-- sys/ufs/ufs/ufs_readwrite.c | 3 ++- sys/ufs/ufs/ufs_vnops.c | 9 +++++---- 4 files changed, 10 insertions(+), 8 deletions(-) (limited to 'sys/ufs') diff --git a/sys/ufs/ufs/ufs_lookup.c b/sys/ufs/ufs/ufs_lookup.c index cddd025f5579..22387a9afe6d 100644 --- a/sys/ufs/ufs/ufs_lookup.c +++ b/sys/ufs/ufs/ufs_lookup.c @@ -476,7 +476,7 @@ found: * implements append-only directories. */ if ((dp->i_mode & ISVTX) && - cred->cr_uid != 0 && + suser_xxx(cred, p, PRISON_ROOT) && cred->cr_uid != dp->i_uid && VTOI(tdp)->i_uid != cred->cr_uid) { vput(tdp); diff --git a/sys/ufs/ufs/ufs_quota.c b/sys/ufs/ufs/ufs_quota.c index fdf365456966..75a559e06aa2 100644 --- a/sys/ufs/ufs/ufs_quota.c +++ b/sys/ufs/ufs/ufs_quota.c @@ -147,7 +147,7 @@ chkdq(ip, change, cred, flags) } return (0); } - if ((flags & FORCE) == 0 && cred->cr_uid != 0) { + if ((flags & FORCE) == 0 && suser_xxx(cred, NULL, 0)) { for (i = 0; i < MAXQUOTAS; i++) { if ((dq = ip->i_dquot[i]) == NODQUOT) continue; @@ -268,7 +268,7 @@ chkiq(ip, change, cred, flags) } return (0); } - if ((flags & FORCE) == 0 && cred->cr_uid != 0) { + if ((flags & FORCE) == 0 && suser_xxx(cred, NULL, 0)) { for (i = 0; i < MAXQUOTAS; i++) { if ((dq = ip->i_dquot[i]) == NODQUOT) continue; diff --git a/sys/ufs/ufs/ufs_readwrite.c b/sys/ufs/ufs/ufs_readwrite.c index df295f7faa82..be43550ce688 100644 --- a/sys/ufs/ufs/ufs_readwrite.c +++ b/sys/ufs/ufs/ufs_readwrite.c @@ -514,7 +514,8 @@ WRITE(ap) * we clear the setuid and setgid bits as a precaution against * tampering. */ - if (resid > uio->uio_resid && ap->a_cred && ap->a_cred->cr_uid != 0) + if (resid > uio->uio_resid && ap->a_cred && + suser_xxx(ap->a_cred, NULL, PRISON_ROOT)) ip->i_mode &= ~(ISUID | ISGID); if (resid > uio->uio_resid) VN_KNOTE(vp, NOTE_WRITE | (extended ? NOTE_EXTEND : 0)); diff --git a/sys/ufs/ufs/ufs_vnops.c b/sys/ufs/ufs/ufs_vnops.c index 733f1523e919..f355080613e8 100644 --- a/sys/ufs/ufs/ufs_vnops.c +++ b/sys/ufs/ufs/ufs_vnops.c @@ -411,7 +411,7 @@ ufs_setattr(ap) if (cred->cr_uid != ip->i_uid && (error = suser_xxx(cred, p, PRISON_ROOT))) return (error); - if ((cred->cr_uid == 0) && (p->p_prison == NULL)) { + if (!suser_xxx(cred, NULL, 0)) { if ((ip->i_flags & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) && securelevel > 0) @@ -527,7 +527,7 @@ ufs_chmod(vp, mode, cred, p) if (error) return (error); } - if (cred->cr_uid) { + if (suser_xxx(cred, NULL, PRISON_ROOT)) { if (vp->v_type != VDIR && (mode & S_ISTXT)) return (EFTYPE); if (!groupmember(ip->i_gid, cred) && (mode & ISGID)) @@ -638,7 +638,7 @@ good: panic("ufs_chown: lost quota"); #endif /* QUOTA */ ip->i_flag |= IN_CHANGE; - if (cred->cr_uid != 0 && (ouid != uid || ogid != gid)) + if (suser_xxx(cred, NULL, 0) && (ouid != uid || ogid != gid)) ip->i_mode &= ~(ISUID | ISGID); return (0); } @@ -1093,7 +1093,8 @@ abortit: * otherwise the destination may not be changed (except by * root). This implements append-only directories. */ - if ((dp->i_mode & S_ISTXT) && tcnp->cn_cred->cr_uid != 0 && + if ((dp->i_mode & S_ISTXT) && + suser_xxx(tcnp->cn_cred, NULL, 0) && tcnp->cn_cred->cr_uid != dp->i_uid && xp->i_uid != tcnp->cn_cred->cr_uid) { error = EPERM; -- cgit v1.2.3