From owner-freebsd-bugs  Wed Jan 16  4:30:12 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 31D3237B417
	for <freebsd-bugs@hub.freebsd.org>; Wed, 16 Jan 2002 04:30:04 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g0GCU4k81880;
	Wed, 16 Jan 2002 04:30:04 -0800 (PST)
	(envelope-from gnats)
Received: from vbook.express.ru (asplinux.ru [195.133.213.194])
	by hub.freebsd.org (Postfix) with ESMTP id 9272A37B404
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 16 Jan 2002 04:29:12 -0800 (PST)
Received: from vova by vbook.express.ru with local (Exim 3.31 #2)
	id 16QpBo-0000Mr-00; Wed, 16 Jan 2002 15:29:12 +0300
Message-Id: <E16QpBo-0000Mr-00@vbook.express.ru>
Date: Wed, 16 Jan 2002 15:29:12 +0300
From: "Vladimir B.Grebenschikov" <vova@sw.ru>
Reply-To: "Vladimir B.Grebenschikov" <vova@sw.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: kmv@sw.ru
X-Send-Pr-Version: 3.113
Subject: kern/33940: quotactl allows compromise gid-quotas
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         33940
>Category:       kern
>Synopsis:       quotactl allows compromise gid-quotas
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 16 04:30:04 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Vladimir B. Grebenschikov
>Release:        FreeBSD 4.4-RELEASE i386
>Organization:
SW soft
>Environment:
System: FreeBSD 4.4-RELEASE i386
	also tried with RELENG_4
>Description:
	ufs_quotactl(mp, cmds, uid, arg, p)
	accepts uid (actually id) from syscall quotactl(2)

	if id == -1 (function asumes that id = p->p_cred->p_ruid):

/* code */
       if (uid == -1)
               uid = p->p_cred->p_ruid;
/* code */

	but, type of quota may be not USRQUOTA there.
	so user with uid X can access groupquota of gid X

>How-To-Repeat:
	
>Fix:

diff against RELENG_4:

diff -u -u -r1.17.2.3 ufs_vfsops.c
--- sys/ufs/ufs/ufs_vfsops.c      2001/10/14 19:08:16     1.17.2.3
+++ sys/ufs/ufs/ufs_vfsops.c      2002/01/16 12:08:38
@@ -103,10 +103,22 @@
 #else
        int cmd, type, error;
 
-       if (uid == -1)
-               uid = p->p_cred->p_ruid;
+       type = cmds & SUBCMDMASK;
        cmd = cmds >> SUBCMDSHIFT;
 
+        if (uid == -1) {
+                switch (type) {
+                case USRQUOTA: 
+                        uid = p->p_cred->p_ruid;
+                        break;
+                case GRPQUOTA: 
+                        uid = p->p_cred->p_rgid;
+                        break;
+                default: 
+                        return (EINVAL);
+                }
+        }
+
        switch (cmd) {
        case Q_SYNC:
                break;
@@ -119,7 +131,6 @@
                        return (error);
        }
 
-       type = cmds & SUBCMDMASK;
        if ((u_int)type >= MAXQUOTAS)
                return (EINVAL);
        if (vfs_busy(mp, LK_NOWAIT, 0, p))
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message