Date: Thu, 5 Oct 2000 17:16:29 +0200 (CEST) From: pb@hert.org To: FreeBSD-gnats-submit@freebsd.org Subject: kern/21769: jail problem Message-ID: <20001005151629.1B9CF13@ender.tfz.net>
next in thread | raw e-mail | index | archive | help
>Number: 21769
>Category: kern
>Synopsis: jail problem
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Oct 05 08:20:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Pascal Bouchareine
>Release: FreeBSD 5.x current, 4.0, 4.1
>Organization:
HERT
>Environment:
FreeBSD and jail() support - any release i could test this on.
Jail and mount settings are by default.
>Description:
A jailed superuser is able to unmount a directory, provided the
fact that this directory is under his jail root directory.
The problem lies in the way uid is checked. Where user.creds are
compared to object.creds, if uid == 0, the suser()-in-jail-like
behaviour is not true anymore. This may be true for other protection
checks (ipc, nicing of processes, what else.. ?)
>How-To-Repeat:
I'm so sorry i don't have an example right there. Just email
me back for the C source I tested this with.
>Fix:
--- vfs_syscalls.c Thu Oct 5 17:06:22 2000
+++ vfs_syscalls.c.new Thu Oct 5 17:06:22 2000
@@ -423,7 +423,8 @@
* Only root, or the user that did the original mount is
* permitted to unmount this filesystem.
*/
- if ((mp->mnt_stat.f_owner != p->p_ucred->cr_uid) &&
+ if ((p->p_ucred->cr_uid &&
+ (mp->mnt_stat.f_owner != p->p_ucred->cr_uid)) &&
(error = suser(p))) {
vput(vp);
return (error);
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001005151629.1B9CF13>