Date: Sat, 31 May 2003 19:19:43 -0700 (PDT) From: Peter Wemm <peter@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 32256 for review Message-ID: <200306010219.h512JhhW077508@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=32256 Change 32256 by peter@peter_hammer on 2003/05/31 19:19:01 IFC @32254 Affected files ... .. //depot/projects/hammer/etc/pam.d/README#2 integrate .. //depot/projects/hammer/etc/rc.d/mountcritlocal#3 integrate .. //depot/projects/hammer/lib/Makefile#16 integrate .. //depot/projects/hammer/lib/libpam/libpam/Makefile#7 integrate .. //depot/projects/hammer/sys/kern/sysv_ipc.c#3 integrate Differences ... ==== //depot/projects/hammer/etc/pam.d/README#2 (text+ko) ==== @@ -30,12 +30,14 @@ password: update authentication tokens. control-flag: How libpam handles success or failure of the module. - required: success is required, and on failure all remaining - modules are run. + required: success is required; on failure all remaining + modules are run, but the request will be denied. requisite: success is required, and on failure no remaining modules are run. sufficient: success is sufficient, and if no previous required module failed, no remaining modules are run. + binding: success is sufficient; on failure all remaining + modules are run, but the request will be denied. optional: ignored unless the other modules return PAM_IGNORE. arguments: Module-specific options, plus some generic ones: @@ -57,4 +59,4 @@ To get the intended semantics, add a "required" entry listing the pam_deny module at the end of the chain. -$FreeBSD: src/etc/pam.d/README,v 1.3 2001/12/05 21:26:00 des Exp $ +$FreeBSD: src/etc/pam.d/README,v 1.4 2003/06/01 00:34:38 des Exp $ ==== //depot/projects/hammer/etc/rc.d/mountcritlocal#3 (text+ko) ==== @@ -1,7 +1,7 @@ #!/bin/sh # # $NetBSD: mountcritlocal,v 1.7 2002/04/29 12:29:53 lukem Exp $ -# $FreeBSD: src/etc/rc.d/mountcritlocal,v 1.3 2002/09/06 16:18:05 gordon Exp $ +# $FreeBSD: src/etc/rc.d/mountcritlocal,v 1.4 2003/06/01 00:32:03 gordon Exp $ # # PROVIDE: mountcritlocal @@ -20,7 +20,7 @@ FreeBSD) # Set up the list of network filesystem types for which mounting # should be delayed until after network initialization. - networkfs_types='nfs:NFS smbfs:SMB portalfs:PORTAL' + networkfs_types='nfs:NFS smbfs:SMB portalfs:PORTAL nwfs:NWFS' case ${extra_netfs_types} in [Nn][Oo]) ;; ==== //depot/projects/hammer/lib/Makefile#16 (text+ko) ==== @@ -1,5 +1,5 @@ # @(#)Makefile 8.1 (Berkeley) 6/4/93 -# $FreeBSD: src/lib/Makefile,v 1.158 2003/05/31 18:43:17 mtm Exp $ +# $FreeBSD: src/lib/Makefile,v 1.159 2003/06/01 00:32:21 marcel Exp $ # To satisfy shared library or ELF linkage when only the libraries being # built are visible: @@ -70,6 +70,12 @@ .endif .endif +.if ${MACHINE_ARCH} == "ia64" +.if !defined(NOLIBTHR) +_libthr= libthr +.endif +.endif + .if ${MACHINE_ARCH} == "alpha" _libio= libio _compat= compat ==== //depot/projects/hammer/lib/libpam/libpam/Makefile#7 (text+ko) ==== @@ -33,7 +33,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/lib/libpam/libpam/Makefile,v 1.44 2003/05/05 21:15:35 des Exp $ +# $FreeBSD: src/lib/libpam/libpam/Makefile,v 1.45 2003/05/31 23:38:16 des Exp $ OPENPAM= ${.CURDIR}/../../../contrib/openpam .PATH: ${OPENPAM}/include ${OPENPAM}/lib ${OPENPAM}/doc/man @@ -80,8 +80,7 @@ pam_vinfo.c \ pam_vprompt.c # Local additions -SRCS+= pam_debug_log.c \ - pam_std_option.c +SRCS+= pam_debug_log.c MAN= openpam.3 \ openpam_borrow_cred.3 \ ==== //depot/projects/hammer/sys/kern/sysv_ipc.c#3 (text+ko) ==== @@ -1,4 +1,4 @@ -/* $FreeBSD: src/sys/kern/sysv_ipc.c,v 1.24 2003/01/13 23:04:31 dillon Exp $ */ +/* $FreeBSD: src/sys/kern/sysv_ipc.c,v 1.26 2003/05/31 23:31:51 rwatson Exp $ */ /* $NetBSD: sysv_ipc.c,v 1.7 1994/06/29 06:33:11 cgd Exp $ */ /* @@ -76,21 +76,41 @@ int mode; { struct ucred *cred = td->td_ucred; + int error; - /* Check for user match. */ if (cred->cr_uid != perm->cuid && cred->cr_uid != perm->uid) { - if (mode & IPC_M) - return (suser(td) == 0 ? 0 : EPERM); - /* Check for group match. */ + /* + * For a non-create/owner, we require privilege to + * modify the object protections. Note: some other + * implementations permit IPC_M to be delegated to + * unprivileged non-creator/owner uids/gids. + */ + if (mode & IPC_M) { + error = suser(td); + if (error) + return (error); + } + /* + * Try to match against creator/owner group; if not, fall + * back on other. + */ mode >>= 3; if (!groupmember(perm->gid, cred) && !groupmember(perm->cgid, cred)) - /* Check for `other' match. */ mode >>= 3; + } else { + /* + * Always permit the creator/owner to update the object + * protections regardless of whether the object mode + * permits it. + */ + if (mode & IPC_M) + return (0); } - if (mode & IPC_M) - return (0); - return ((mode & perm->mode) == mode || - suser(td) == 0 ? 0 : EACCES); + if ((mode & perm->mode) != mode) { + if (suser(td) != 0) + return (EACCES); + } + return (0); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306010219.h512JhhW077508>