diff options
author | peter <peter@FreeBSD.org> | 1997-03-31 15:13:33 +0000 |
---|---|---|
committer | peter <peter@FreeBSD.org> | 1997-03-31 15:13:33 +0000 |
commit | a67a7fef66afd2908c026ada6b68da9cddaeb48e (patch) | |
tree | fd1a89cacbbf26c14f7762f9d1d9c7f56918d349 /sys | |
parent | db3b5e918097f96d157f1b583a6b54c7b6ac53d9 (diff) | |
download | FreeBSD-src-a67a7fef66afd2908c026ada6b68da9cddaeb48e.zip FreeBSD-src-a67a7fef66afd2908c026ada6b68da9cddaeb48e.tar.gz |
Implement code for an OpenBSD-style issetuigid().
This is valueable for library code which needs to be able to find out
whether the current process is or *was* set[ug]id at some point in the
past, and may have a "tainted" execution environment. This is especially
a problem with the trend to immediately revoke privs at startup and regain
them for critical sections. One problem with this is that if a cracker
is able to compromise the program while it's still got a saved id, the
cracker can direct the program to regain the privs. Another problem is
that the user may be able to affect the program in some other way (eg:
setting resolver host aliases) and the library code needs to know when it
should disable these sorts of features.
Reviewed by: ache
Inspired by: OpenBSD (but with a different implementation)
Diffstat (limited to 'sys')
-rw-r--r-- | sys/kern/kern_prot.c | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index b408029..d1c4db4 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -36,7 +36,7 @@ * SUCH DAMAGE. * * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 - * $Id: kern_prot.c,v 1.29 1997/03/31 13:41:49 peter Exp $ + * $Id: kern_prot.c,v 1.30 1997/03/31 13:47:00 peter Exp $ */ /* @@ -674,6 +674,31 @@ setregid(p, uap, retval) return (0); } +#ifndef _SYS_SYSPROTO_H_ +struct issetugid_args { + int dummy; +}; +#endif +/* ARGSUSED */ +int +issetugid(p, uap, retval) + register struct proc *p; + struct issetugid_args *uap; + int *retval; +{ + /* + * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time, + * we use P_SUGID because we consider changing the owners as + * "tainting" as well. + * This is significant for procs that start as root and "become" + * a user without an exec - programs cannot know *everything* + * that libc *might* have put in their data segment. + */ + if (p->p_flag & P_SUGID) + return (1); + return (0); +} + /* * Check if gid is a member of the group set. */ |