diff options
author | mckusick <mckusick@FreeBSD.org> | 2003-03-02 08:07:57 +0000 |
---|---|---|
committer | mckusick <mckusick@FreeBSD.org> | 2003-03-02 08:07:57 +0000 |
commit | abeee19e64eda24a992227b18d9b8682330b09e0 (patch) | |
tree | 2ddbcc07d94edbd92ed1f375bc1f47ae6aac0c4a /sbin/mksnap_ffs/mksnap_ffs.c | |
parent | 8e95e9172221aabf5978f7f50ae2308a105d6f6c (diff) | |
download | FreeBSD-src-abeee19e64eda24a992227b18d9b8682330b09e0.zip FreeBSD-src-abeee19e64eda24a992227b18d9b8682330b09e0.tar.gz |
Close out a possible race where anybody in group operator could
chown an arbitrary file to operator.
Reported by: Ian Dowse <iedowse@maths.tcd.ie>
Sponsored by: DARPA & NAI Labs.
Diffstat (limited to 'sbin/mksnap_ffs/mksnap_ffs.c')
-rw-r--r-- | sbin/mksnap_ffs/mksnap_ffs.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/sbin/mksnap_ffs/mksnap_ffs.c b/sbin/mksnap_ffs/mksnap_ffs.c index 8f33cde..1c3fb61 100644 --- a/sbin/mksnap_ffs/mksnap_ffs.c +++ b/sbin/mksnap_ffs/mksnap_ffs.c @@ -41,6 +41,7 @@ #include <ufs/ufs/ufsmount.h> #include <err.h> #include <errno.h> +#include <fcntl.h> #include <grp.h> #include <stdio.h> #include <stdlib.h> @@ -62,6 +63,8 @@ main(int argc, char **argv) const char *dir; struct ufs_args args; struct group *grp; + struct stat stbuf; + int fd; if (argc != 3) usage(); @@ -73,9 +76,15 @@ main(int argc, char **argv) errx(1, "Cannot retrieve operator gid"); if (mount("ffs", dir, MNT_UPDATE | MNT_SNAPSHOT, &args) < 0) err(1, "Cannot create %s", args.fspec); - if (chown(args.fspec, -1, grp->gr_gid) != 0) + if ((fd = open(args.fspec, O_RDONLY)) < 0) + err(1, "Cannot open %s", args.fspec); + if (fstat(fd, &stbuf) != 0) + err(1, "Cannot stat %s", args.fspec); + if ((stbuf.st_flags & SF_SNAPSHOT) == 0) + errx(1, "File %s is not a snapshot", args.fspec); + if (fchown(fd, -1, grp->gr_gid) != 0) err(1, "Cannot chown %s", args.fspec); - if (chmod(args.fspec, S_IRUSR | S_IRGRP) != 0) + if (fchmod(fd, S_IRUSR | S_IRGRP) != 0) err(1, "Cannot chmod %s", args.fspec); exit(EXIT_SUCCESS); |