diff options
| author | rwatson <rwatson@FreeBSD.org> | 2001-04-13 03:06:22 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2001-04-13 03:06:22 +0000 |
| commit | c11aa73a4bbe18bcaafc717f85a4d9342052370f (patch) | |
| tree | 9d1ab5a556d60c9e38a379111677df2ba6378119 /sys/kern/kern_prot.c | |
| parent | d74956ff5180709d92a363d57515a95e71b1e650 (diff) | |
| download | FreeBSD-src-c11aa73a4bbe18bcaafc717f85a4d9342052370f.zip FreeBSD-src-c11aa73a4bbe18bcaafc717f85a4d9342052370f.tar.gz | |
o Disallow two "allow this" exceptions in p_cansignal() restricting
the ability of unprivileged processes to deliver arbitrary signals
to daemons temporarily taking on unprivileged effective credentials
when P_SUGID is not set on the target process:
Removed:
(p1->p_cred->cr_ruid != ps->p_cred->cr_uid)
(p1->p_ucred->cr_uid != ps->p_cred->cr_uid)
o Replace two "allow this" exceptions in p_cansignal() restricting
the ability of unprivileged processes to deliver arbitrary signals
to daemons temporarily taking on unprivileged effective credentials
when P_SUGID is set on the target process:
Replaced:
(p1->p_cred->p_ruid != p2->p_ucred->cr_uid)
(p1->p_cred->cr_uid != p2->p_ucred->cr_uid)
With:
(p1->p_cred->p_ruid != p2->p_ucred->p_svuid)
(p1->p_ucred->cr_uid != p2->p_ucred->p_svuid)
o These changes have the effect of making the uid-based handling of
both P_SUGID and non-P_SUGID signal delivery consistent, following
these four general cases:
p1's ruid equals p2's ruid
p1's euid equals p2's ruid
p1's ruid equals p2's svuid
p1's euid equals p2's svuid
The P_SUGID and non-P_SUGID cases can now be largely collapsed,
and I'll commit this in a few days if no immediate problems are
encountered with this set of changes.
o These changes remove a number of warning cases identified by the
proc_to_proc inter-process authorization regression test.
o As these are new restrictions, we'll have to watch out carefully for
possible side effects on running code: they seem reasonable to me,
but it's possible this change might have to be backed out if problems
are experienced.
Submitted by: src/tools/regression/security/proc_to_proc/testuid
Reviewed by: tmm
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/kern/kern_prot.c')
| -rw-r--r-- | sys/kern/kern_prot.c | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 75c1f70..c86e875 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1084,8 +1084,8 @@ p_cansignal(struct proc *p1, struct proc *p2, int signum) */ if (p1->p_cred->p_ruid != p2->p_cred->p_ruid && p1->p_ucred->cr_uid != p2->p_cred->p_ruid && - p1->p_cred->p_ruid != p2->p_ucred->cr_uid && - p1->p_ucred->cr_uid != p2->p_ucred->cr_uid) { + p1->p_cred->p_ruid != p2->p_cred->p_svuid && + p1->p_ucred->cr_uid != p2->p_cred->p_svuid) { /* Not permitted, try privilege. */ error = suser_xxx(NULL, p1, PRISON_ROOT); if (error) @@ -1106,9 +1106,7 @@ p_cansignal(struct proc *p1, struct proc *p2, int signum) if (p1->p_cred->p_ruid != p2->p_cred->p_ruid && p1->p_cred->p_ruid != p2->p_cred->p_svuid && p1->p_ucred->cr_uid != p2->p_cred->p_ruid && - p1->p_ucred->cr_uid != p2->p_cred->p_svuid && - p1->p_cred->p_ruid != p2->p_ucred->cr_uid && - p1->p_ucred->cr_uid != p2->p_ucred->cr_uid) { + p1->p_ucred->cr_uid != p2->p_cred->p_svuid) { /* Not permitted, try privilege. */ error = suser_xxx(NULL, p1, PRISON_ROOT); if (error) |
