Date: Sun, 09 Mar 1997 11:54:41 -0800 From: Cy Schubert <cy@cwsys.cwent.com> To: freebsd-security@freebsd.org Cc: Garrett Wollman <wollman@lcs.mit.edu>, "Daniel O'Callaghan" <danny@panda.hilink.com.au> Subject: Re: 4.4BSD NFS File Handles (fwd) Message-ID: <199703091954.LAA00737@cwsys.cwent.com> In-Reply-To: Your message of "Sun, 09 Mar 1997 09:08:50 PST." <199703091708.JAA00702@cwsys.cwent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I have tested my suggestion below on both of my 2.1.6 systems using the
following test program;
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
main()
{
struct stat sb;
if (stat("/usr",&sb)) {
perror("stat error");
exit(1);
}
printf("%ud\n",sb.st_gen);
}
The modified patch returns zero in sb.st_gen for non-root users, yet does not
set the flag indicating the use of superuser powers. (I agree with
Garret that filling a field via a commonly used system call does not
quailfy to set the superuser-power-used flag). The patch is based on
2.1.6 as distributed on CDROM.
--- sys/kern/vfs_vnops.c.orig Thu Oct 26 02:17:22 1995
+++ sys/kern/vfs_vnops.c Sun Mar 9 09:28:11 1997
@@ -395,7 +395,10 @@
sb->st_ctimespec = vap->va_ctime;
sb->st_blksize = vap->va_blocksize;
sb->st_flags = vap->va_flags;
- sb->st_gen = vap->va_gen;
+ if (p->p_cred->pc_ucred->cr_uid == 0)
+ sb->st_gen = vap->va_gen;
+ else
+ sb->st_gen = 0;
sb->st_blocks = vap->va_bytes / S_BLKSIZE;
return (0);
}
Since I maintain a diverse range of platforms at work, five different
vendors at last count, and since I build infrastructure or at least test
some concepts at home, maintaining compatibility with these platforms is
important to me as it reduces the number customizations I need to do for to
get the same package to work on all platforms.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
UNIX Support OV/VM: BCSC02(CSCHUBER)
ITSD BITNET: CSCHUBER@BCSC02.BITNET
Government of BC Internet: cschuber@uumail.gov.bc.ca
cschuber@bcsc02.gov.bc.ca
"Quit spooling around, JES do it."
> > <<On Fri, 7 Mar 1997 16:15:41 +1100 (EST), "Daniel O'Callaghan" <danny@pand
a.
> hilink.com.au> said:
> >
> > > if (suser(p->p_ucred, &p->p_acflag)) {
> > > sb->st_gen = 0;
> > > } else {
> > > sb->st_gen = vap->va_gen;
> > > }
> >
> > This test is bogus. The problem is that is causes p_acflag to get the
> > ``used superuser privileges'' bit set every time a root process calls
> > stat(). Since most processes call stat() at least once in their
> > lifetime, this would make p_acflag completely useless.
>
> Agreed. Replacing the "if (suser(p->p_ucred, &p->p_acflag)) {" in the
> patch with "if (p->p_cred->pc_ucred->cr_uid == 0) {" should address this
> concern.
>
> >
> > I'm certainly willing to live with not making this information
> > available through the stat(2) interface at all. Any process with
> > appropriate privilege can simply read the information off the disk
> > anyway, so I don't see any benefit in having it here. (A process with
> > appropriate privilege can also call getfh(2) and parse the returned
> > handle.)
>
> I disagree. This field is returned by other UNICES, notably DEC UNIX among
> others. Removing it would cause some portability concerns in some cases,
> e.g. some code may not compile right-out-of-the-box.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703091954.LAA00737>