From owner-svn-src-head@FreeBSD.ORG  Tue May 31 07:02:50 2011
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 283E01065672;
	Tue, 31 May 2011 07:02:50 +0000 (UTC) (envelope-from pjd@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 17E0B8FC08;
	Tue, 31 May 2011 07:02:50 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p4V72njd011818;
	Tue, 31 May 2011 07:02:49 GMT (envelope-from pjd@svn.freebsd.org)
Received: (from pjd@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id p4V72n5H011816;
	Tue, 31 May 2011 07:02:49 GMT (envelope-from pjd@svn.freebsd.org)
Message-Id: <201105310702.p4V72n5H011816@svn.freebsd.org>
From: Pawel Jakub Dawidek <pjd@FreeBSD.org>
Date: Tue, 31 May 2011 07:02:49 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r222518 - head/sys/cddl/compat/opensolaris/kern
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
	<svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2011 07:02:50 -0000

Author: pjd
Date: Tue May 31 07:02:49 2011
New Revision: 222518
URL: http://svn.freebsd.org/changeset/base/222518

Log:
  Imagine situation where a security problem is found in setuid binary.
  User upgrades his system to fix the problem, but if he has any ZFS snapshots
  for the file system which contains problematic binary, any user can mount the
  snapshot and execute vulnerable binary.
  
  Prevent this from happening by always mounting snapshots with setuid turned off.
  
  MFC after:	2 weeks

Modified:
  head/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c

Modified: head/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c
==============================================================================
--- head/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c	Tue May 31 05:00:45 2011	(r222517)
+++ head/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c	Tue May 31 07:02:49 2011	(r222518)
@@ -172,6 +172,11 @@ mount_snapshot(kthread_t *td, vnode_t **
 	 */
 	mp->mnt_flag |= MNT_RDONLY;
 	/*
+	 * We don't want snapshots to allow access to vulnerable setuid
+	 * programs, so we turn off setuid when mounting snapshots.
+	 */
+	mp->mnt_flag |= MNT_NOSUID;
+	/*
 	 * We don't want snapshots to be visible in regular
 	 * mount(8) and df(1) output.
 	 */