From owner-freebsd-hackers  Tue Sep 19 00:34:34 1995
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id AAA15578
          for hackers-outgoing; Tue, 19 Sep 1995 00:34:34 -0700
Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.34])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id AAA15568
          for <hackers@FreeBSD.ORG>; Tue, 19 Sep 1995 00:34:25 -0700
Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.9/8.6.9) id RAA30694; Tue, 19 Sep 1995 17:30:19 +1000
Date: Tue, 19 Sep 1995 17:30:19 +1000
From: Bruce Evans <bde@zeta.org.au>
Message-Id: <199509190730.RAA30694@godzilla.zeta.org.au>
To: julian@ref.tfs.com, terry@lambert.org
Subject: Re: suspect code in 'unlink' syscall.
Cc: hackers@FreeBSD.ORG
Sender: owner-hackers@FreeBSD.ORG
Precedence: bulk

>> looking at 'unlink (2)'
>> I see,
>>         if (vp->v_type != VDIR ||
>>             (error = suser(p->p_ucred, &p->p_acflag)) == 0) {

>Invert the test.  I made this mod some time ago:

>	if( ( error = suser(p->p_ucred, &p->p_acflag)) == 0 ||
>		vp->v_type != VDIR) {

>This way, the error code will be set to EPERM if you are not root and the
>followon code will not be executed.

This way, the error code is bogusly set for non-root, so that only root
can unlink anything.  Also, root is bogusly recorded as having used the
superuser privilege to unlink non-directories.  Also, the formatting is
messed up.

You may have added some gotos to avoid the first bug.

Bruce