From owner-cvs-all@FreeBSD.ORG Thu Jul 15 17:03:23 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BD2116A4CE; Thu, 15 Jul 2004 17:03:23 +0000 (GMT) Received: from darkness.comp.waw.pl (darkness.comp.waw.pl [195.117.238.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB27743D39; Thu, 15 Jul 2004 17:03:22 +0000 (GMT) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id DB054ACAF1; Thu, 15 Jul 2004 19:03:20 +0200 (CEST) Date: Thu, 15 Jul 2004 19:03:20 +0200 From: Pawel Jakub Dawidek To: "Christian S.J. Peron" Message-ID: <20040715170320.GF12007@darkness.comp.waw.pl> References: <200407141904.i6EJ4VKD016422@repoman.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LqIGKb6ivCeGIB65" Content-Disposition: inline In-Reply-To: <200407141904.i6EJ4VKD016422@repoman.freebsd.org> User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 cc: cvs-src@FreeBSD.org cc: src-committers@FreeBSD.org cc: rwatson@freebsd.org cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/kern kern_descrip.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jul 2004 17:03:23 -0000 --LqIGKb6ivCeGIB65 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 14, 2004 at 07:04:31PM +0000, Christian S.J. Peron wrote: +> csjp 2004-07-14 19:04:31 UTC +>=20 +> FreeBSD src repository +>=20 +> Modified files: +> sys/kern kern_descrip.c=20 +> Log: +> In addition to the real user ID check, do an explicit jail +> check to ensure that the caller is not prison root. +> =20 +> The intention is to fix file descriptor creation so that +> prison root can not use the last remaining file descriptors. +> This privilege should be reserved for non-jailed root users. [...] +> fp =3D uma_zalloc(file_zone, M_WAITOK | M_ZERO); +> sx_xlock(&filelist_lock); +> - if ((nfiles >=3D maxuserfiles && td->td_ucred->cr_ruid !=3D 0) +> - || nfiles >=3D maxfiles) { +> + if ((nfiles >=3D maxuserfiles && (td->td_ucred->cr_ruid !=3D 0 || +> + jailed(td->td_ucred))) || nfiles >=3D maxfiles) { +> if (ppsratecheck(&lastfail, &curfail, 1)) { +> printf("kern.maxfiles limit exceeded by uid %i, please see tuning(7)= .\n", +> td->td_ucred->cr_ruid); Could we change 'td->td_ucred->cr_ruid !=3D 0 || jailed(td->td_ucred)' to 'suser(td) !=3D 0'? --=20 Pawel Jakub Dawidek http://www.FreeBSD.org pjd@FreeBSD.org http://garage.freebsd.pl FreeBSD committer Am I Evil? Yes, I Am! --LqIGKb6ivCeGIB65 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA9rjYForvXbEpPzQRAhO+AJ9srXKrdVqBFw8GQAielszFG5LXfwCfS50s 3E2fcFPVfIXB630+SoDhJIs= =fHKN -----END PGP SIGNATURE----- --LqIGKb6ivCeGIB65--