Date: Tue, 5 Jul 2005 12:02:12 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 79601 for review Message-ID: <200507051202.j65C2C9M076906@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=79601 Change 79601 by rwatson@rwatson_paprika on 2005/07/05 12:01:24 Annotate some uses of suser() in file system code that will need more attention. In reiserfs, the use of suser appears deffective. In UFS, it requires some inspection of POSIX.1e to figure out how to use capabilities. Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/gnu/reiserfs/reiserfs_vfsops.c#2 edit .. //depot/projects/trustedbsd/sebsd/sys/ufs/ffs/ffs_vnops.c#11 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/gnu/reiserfs/reiserfs_vfsops.c#2 (text+ko) ==== @@ -125,8 +125,15 @@ return (error); } - /* If mount by non-root, then verify that user has necessary - * permissions on the device. */ + /* + * If mount by non-root, then verify that user has necessary + * permissions on the device. + * + * XXXRW: Probably, should check if the user has access, then + * exercise appropriate privilege to override the protections if + * desired. Question: why are we not simply relying on the results + * of VOP_ACCESS()? + */ if (suser(td)) { accessmode = VREAD; if ((mp->mnt_flag & MNT_RDONLY) == 0) ==== //depot/projects/trustedbsd/sebsd/sys/ufs/ffs/ffs_vnops.c#11 (text+ko) ==== @@ -731,6 +731,9 @@ * If we successfully wrote any data, and we are not the superuser * we clear the setuid and setgid bits as a precaution against * tampering. + * + * XXXRW: What should this be in the world of capabilities? Possibly + * CAP_SETUID and CAP_SETGID? */ if (resid > uio->uio_resid && ap->a_cred && suser_cred(ap->a_cred, SUSER_ALLOWJAIL)) { @@ -1056,6 +1059,9 @@ * If we successfully wrote any data, and we are not the superuser * we clear the setuid and setgid bits as a precaution against * tampering. + * + * XXXRW: What should this be in the world of capabilities? Possibly + * CAP_SETUID and CAP_SETGID? */ if (resid > uio->uio_resid && ucred && suser_cred(ucred, SUSER_ALLOWJAIL)) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507051202.j65C2C9M076906>