Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 3 Nov 1997 21:07:53 +0500 (ES)
From:      Vasim Valejev <vasim@uddias.diaspro.com>
To:        FreeBSD-gnats-submit@FreeBSD.ORG
Subject:   kern/4927: kernel does not check any quota and permissions after setuid() on opened files
Message-ID:  <199711031607.VAA20558@uddias.diaspro.com>
Resent-Message-ID: <199711031610.IAA10925@hub.freebsd.org>
index | next in thread | raw e-mail 


>Number:         4927
>Category:       kern
>Synopsis:       kernel does not check any quota and permissions after setuid() on opened files
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov  3 08:10:01 PST 1997
>Last-Modified:
>Originator:     Vasim Valejev
>Organization:
DiasPro
>Release:        FreeBSD 3.0-CURRENT i386
>Environment:

	FreeBSD 3.0-CURRENT (FreeBSD 2.2-STABLE too)

>Description:

	If program running as root opens file and setuids to other user , it still can read/write to this file as root (without check quotas and file permissions) .

>How-To-Repeat:

	Create account 'testquot' and set quota for this account on /var partition to 20 blocks (hard and soft limits) . Then run next program from root's shell :

#include <sys/types.h>
#include <sys/uio.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <stdio.h>
#include <pwd.h>
#include <unistd.h>

#define BLOCK_QUOTA 50
#define TEST_ACCOUNT "testquot"
#define TEST_FILE "/var/tmp/test_for_quota"

main ()
{
	int fd;
	char *buffer;
	struct passwd *pw; 

	buffer = (char *) malloc(BLOCK_QUOTA * 512);
	memset(buffer, 245, BLOCK_QUOTA * 512);

	if ((pw = getpwnam(TEST_ACCOUNT)) == NULL)
	{
		fprintf(stderr, "Create account %s first !\n", TEST_ACCOUNT);
		exit(1);
	}
	
	if ((fd = open(TEST_FILE, O_CREAT | O_EXCL | O_WRONLY)) == -1)
	{
		perror("open");
		exit(1);
	}

	if (fchmod(fd, S_IRUSR | S_IWUSR) == -1)
	{
		perror("fchmod");
		exit(1);
	}

	if (setuid(pw->pw_uid) == -1)
	{
		fprintf(stderr, "Cant setuid to uid %d !\n", pw->pw_uid);
		exit(1);
	}

	write(fd, buffer, BLOCK_QUOTA * 512);
	close(fd);
	printf("try du -s %s\n", TEST_FILE);
}	

	File /var/tmp/test_for_quota will have size 50 blocks :( .

	It looks not good . Some program can work not right . For example - mail.local from sendmail 8.8.7 - it does setreuid() before write to user's mailbox (and after open()) but quotas for users mailboxes does not work !

>Fix:
	
	Don't know .
>Audit-Trail:
>Unformatted:
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199711031607.VAA20558>