From owner-freebsd-bugs Mon Nov 3 08:10:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA10941 for bugs-outgoing; Mon, 3 Nov 1997 08:10:05 -0800 (PST) (envelope-from owner-freebsd-bugs) Received: (from gnats@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA10925; Mon, 3 Nov 1997 08:10:02 -0800 (PST) (envelope-from gnats) Resent-Date: Mon, 3 Nov 1997 08:10:02 -0800 (PST) Resent-Message-Id: <199711031610.IAA10925@hub.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, vasim@uddias.diaspro.com Received: from uddias.diaspro.com (vasim@uddias.diaspro.com [194.84.211.1]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA10767 for ; Mon, 3 Nov 1997 08:08:18 -0800 (PST) (envelope-from vasim@uddias.diaspro.com) Received: (from vasim@localhost) by uddias.diaspro.com (8.8.7/8.8.7) id VAA20558; Mon, 3 Nov 1997 21:07:53 +0500 (ES) Message-Id: <199711031607.VAA20558@uddias.diaspro.com> Date: Mon, 3 Nov 1997 21:07:53 +0500 (ES) From: Vasim Valejev Reply-To: vasim@uddias.diaspro.com To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: kern/4927: kernel does not check any quota and permissions after setuid() on opened files Sender: owner-freebsd-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >Number: 4927 >Category: kern >Synopsis: kernel does not check any quota and permissions after setuid() on opened files >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Nov 3 08:10:01 PST 1997 >Last-Modified: >Originator: Vasim Valejev >Organization: DiasPro >Release: FreeBSD 3.0-CURRENT i386 >Environment: FreeBSD 3.0-CURRENT (FreeBSD 2.2-STABLE too) >Description: If program running as root opens file and setuids to other user , it still can read/write to this file as root (without check quotas and file permissions) . >How-To-Repeat: Create account 'testquot' and set quota for this account on /var partition to 20 blocks (hard and soft limits) . Then run next program from root's shell : #include #include #include #include #include #include #include #define BLOCK_QUOTA 50 #define TEST_ACCOUNT "testquot" #define TEST_FILE "/var/tmp/test_for_quota" main () { int fd; char *buffer; struct passwd *pw; buffer = (char *) malloc(BLOCK_QUOTA * 512); memset(buffer, 245, BLOCK_QUOTA * 512); if ((pw = getpwnam(TEST_ACCOUNT)) == NULL) { fprintf(stderr, "Create account %s first !\n", TEST_ACCOUNT); exit(1); } if ((fd = open(TEST_FILE, O_CREAT | O_EXCL | O_WRONLY)) == -1) { perror("open"); exit(1); } if (fchmod(fd, S_IRUSR | S_IWUSR) == -1) { perror("fchmod"); exit(1); } if (setuid(pw->pw_uid) == -1) { fprintf(stderr, "Cant setuid to uid %d !\n", pw->pw_uid); exit(1); } write(fd, buffer, BLOCK_QUOTA * 512); close(fd); printf("try du -s %s\n", TEST_FILE); } File /var/tmp/test_for_quota will have size 50 blocks :( . It looks not good . Some program can work not right . For example - mail.local from sendmail 8.8.7 - it does setreuid() before write to user's mailbox (and after open()) but quotas for users mailboxes does not work ! >Fix: Don't know . >Audit-Trail: >Unformatted: