From owner-freebsd-bugs  Thu Oct  5  8:20: 6 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id CCC0437B66D
	for <freebsd-bugs@FreeBSD.org>; Thu,  5 Oct 2000 08:20:01 -0700 (PDT)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id IAA18247;
	Thu, 5 Oct 2000 08:20:01 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from ender.tfz.net (ender.worldnet.net [195.3.3.22])
	by hub.freebsd.org (Postfix) with ESMTP id 37A1F37B503
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  5 Oct 2000 08:16:34 -0700 (PDT)
Received: by ender.tfz.net (Postfix, from userid 0)
	id 1B9CF13; Thu,  5 Oct 2000 17:16:29 +0200 (CEST)
Message-Id: <20001005151629.1B9CF13@ender.tfz.net>
Date: Thu,  5 Oct 2000 17:16:29 +0200 (CEST)
From: pb@hert.org
Reply-To: pb@hert.org
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/21769: jail problem
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         21769
>Category:       kern
>Synopsis:       jail problem
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 05 08:20:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Pascal Bouchareine
>Release:        FreeBSD 5.x current, 4.0, 4.1
>Organization:
HERT
>Environment:

	FreeBSD and jail() support - any release i could test this on.
	Jail and mount settings are by default.

>Description:

	A jailed superuser is able to unmount a directory, provided the
        fact that this directory is under his jail root directory.

	The problem lies in the way uid is checked. Where user.creds are
        compared to object.creds, if uid == 0, the suser()-in-jail-like 
        behaviour is not true anymore. This may be true for other protection 
        checks (ipc, nicing of processes, what else.. ?)

>How-To-Repeat:

	I'm so sorry i don't have an example right there. Just email
        me back for the C source I tested this with.

>Fix:
	
--- vfs_syscalls.c      Thu Oct  5 17:06:22 2000
+++ vfs_syscalls.c.new  Thu Oct  5 17:06:22 2000
@@ -423,7 +423,8 @@
         * Only root, or the user that did the original mount is
         * permitted to unmount this filesystem.
         */
-       if ((mp->mnt_stat.f_owner != p->p_ucred->cr_uid) &&
+       if ((p->p_ucred->cr_uid && 
+           (mp->mnt_stat.f_owner != p->p_ucred->cr_uid)) &&
            (error = suser(p))) {
                vput(vp);
                return (error);

	


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message