Date: Thu, 15 Jul 2004 19:03:20 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: "Christian S.J. Peron" <csjp@FreeBSD.org> Cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/kern kern_descrip.c Message-ID: <20040715170320.GF12007@darkness.comp.waw.pl> In-Reply-To: <200407141904.i6EJ4VKD016422@repoman.freebsd.org> References: <200407141904.i6EJ4VKD016422@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Wed, Jul 14, 2004 at 07:04:31PM +0000, Christian S.J. Peron wrote:
+> csjp 2004-07-14 19:04:31 UTC
+>
+> FreeBSD src repository
+>
+> Modified files:
+> sys/kern kern_descrip.c
+> Log:
+> In addition to the real user ID check, do an explicit jail
+> check to ensure that the caller is not prison root.
+>
+> The intention is to fix file descriptor creation so that
+> prison root can not use the last remaining file descriptors.
+> This privilege should be reserved for non-jailed root users.
[...]
+> fp = uma_zalloc(file_zone, M_WAITOK | M_ZERO);
+> sx_xlock(&filelist_lock);
+> - if ((nfiles >= maxuserfiles && td->td_ucred->cr_ruid != 0)
+> - || nfiles >= maxfiles) {
+> + if ((nfiles >= maxuserfiles && (td->td_ucred->cr_ruid != 0 ||
+> + jailed(td->td_ucred))) || nfiles >= maxfiles) {
+> if (ppsratecheck(&lastfail, &curfail, 1)) {
+> printf("kern.maxfiles limit exceeded by uid %i, please see tuning(7).\n",
+> td->td_ucred->cr_ruid);
Could we change 'td->td_ucred->cr_ruid != 0 || jailed(td->td_ucred)' to
'suser(td) != 0'?
--
Pawel Jakub Dawidek http://www.FreeBSD.org
pjd@FreeBSD.org http://garage.freebsd.pl
FreeBSD committer Am I Evil? Yes, I Am!
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFA9rjYForvXbEpPzQRAhO+AJ9srXKrdVqBFw8GQAielszFG5LXfwCfS50s
3E2fcFPVfIXB630+SoDhJIs=
=fHKN
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040715170320.GF12007>