Date: Sun, 24 May 2009 19:21:49 +0000 (UTC) From: Edward Tomasz Napierala <trasz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r192694 - head/sys/cddl/compat/opensolaris/kern Message-ID: <200905241921.n4OJLnda098232@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: trasz Date: Sun May 24 19:21:49 2009 New Revision: 192694 URL: http://svn.freebsd.org/changeset/base/192694 Log: Don't allow non-owner to set SUID bit on a file. It doesn't make any difference now, but in NFSv4 ACLs, there is write_acl permission, which also affects mode changes. Reviewed by: pjd Modified: head/sys/cddl/compat/opensolaris/kern/opensolaris_policy.c Modified: head/sys/cddl/compat/opensolaris/kern/opensolaris_policy.c ============================================================================== --- head/sys/cddl/compat/opensolaris/kern/opensolaris_policy.c Sun May 24 18:49:53 2009 (r192693) +++ head/sys/cddl/compat/opensolaris/kern/opensolaris_policy.c Sun May 24 19:21:49 2009 (r192694) @@ -302,6 +302,14 @@ secpolicy_setid_setsticky_clear(struct v if (error) return (error); } + /* + * Deny setting setuid if we are not the file owner. + */ + if ((vap->va_mode & S_ISUID) && ovap->va_uid != cred->cr_uid) { + error = priv_check_cred(cred, PRIV_VFS_ADMIN, 0); + if (error) + return (error); + } return (0); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200905241921.n4OJLnda098232>