Imagine situation where a security problem is found in setuid binary.

User upgrades his system to fix the problem, but if he has any ZFS snapshots for the file system which contains problematic binary, any user can mount the snapshot and execute vulnerable binary. Prevent this from happening by always mounting snapshots with setuid turned off. MFC after: 2 weeks
author: pjd <pjd@FreeBSD.org> 2011-05-31 07:02:49 +0000
committer: pjd <pjd@FreeBSD.org> 2011-05-31 07:02:49 +0000
commit: b6ae7ca260605f046bb9ed7abc1beba20f7650a7 (patch)
tree: abd41fb961a7db052213bb537207a2c1beb0797c /sys/cddl/compat/opensolaris/kern
parent: 2adafc03232464837b5248397590e850ab6d7dc7 (diff)
download: FreeBSD-src-b6ae7ca260605f046bb9ed7abc1beba20f7650a7.zip
FreeBSD-src-b6ae7ca260605f046bb9ed7abc1beba20f7650a7.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c b/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c
index be9f4ec..a266eca 100644
--- a/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c
+++ b/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c
@@ -172,6 +172,11 @@ mount_snapshot(kthread_t *td, vnode_t **vpp, const char *fstype, char *fspath,
 	 */
 	mp->mnt_flag |= MNT_RDONLY;
 	/*
+	 * We don't want snapshots to allow access to vulnerable setuid
+	 * programs, so we turn off setuid when mounting snapshots.
+	 */
+	mp->mnt_flag |= MNT_NOSUID;
+	/*
 	 * We don't want snapshots to be visible in regular
 	 * mount(8) and df(1) output.
 	 */
author	pjd <pjd@FreeBSD.org>	2011-05-31 07:02:49 +0000
committer	pjd <pjd@FreeBSD.org>	2011-05-31 07:02:49 +0000
commit	b6ae7ca260605f046bb9ed7abc1beba20f7650a7 (patch)
tree	abd41fb961a7db052213bb537207a2c1beb0797c /sys/cddl/compat/opensolaris/kern
parent	2adafc03232464837b5248397590e850ab6d7dc7 (diff)
download	FreeBSD-src-b6ae7ca260605f046bb9ed7abc1beba20f7650a7.zip FreeBSD-src-b6ae7ca260605f046bb9ed7abc1beba20f7650a7.tar.gz