diff options
| author | rwatson <rwatson@FreeBSD.org> | 2001-04-12 22:46:07 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2001-04-12 22:46:07 +0000 |
| commit | e767472b727197cefeea3ddb87b7bd0821d673b4 (patch) | |
| tree | 7c5415e01185c5a8139cda0571b993801c6231ce /sbin/ip6fw | |
| parent | 229635845bd468b823e94ce0bb1276ef32672932 (diff) | |
| download | FreeBSD-src-e767472b727197cefeea3ddb87b7bd0821d673b4.zip FreeBSD-src-e767472b727197cefeea3ddb87b7bd0821d673b4.tar.gz | |
o Disable two "allow this" exceptions in p_cansched()m retricting the
ability of unprivileged processes to modify the scheduling properties
of daemons temporarily taking on unprivileged effective credentials.
These cases (p1->p_cred->p_ruid == p2->p_ucred->cr_uid) and
(p1->p_ucred->cr_uid == p2->p_ucred->cr_uid), respectively permitting
a subject process to influence the scheduling of a daemon if the subject
process has the same real uid or effective uid as the daemon's effective
uid. This removes a number of the warning cases identified by the
proc_to_proc iner-process authorization regression test.
o As these are new restrictions, we'll have to watch out carefully for
possible side effects on running code: they seem reasonable to me,
but it's possible this change might have to be backed out if problems
are experienced.
Reported by: src/tools/regression/security/proc_to_proc/testuid
Obtained from: TrustedBSD Project
Diffstat (limited to 'sbin/ip6fw')
0 files changed, 0 insertions, 0 deletions
