diff options
| -rw-r--r-- | ObsoleteFiles.inc | 2 | ||||
| -rw-r--r-- | share/man/man9/Makefile | 2 | ||||
| -rw-r--r-- | share/man/man9/priv.9 | 3 | ||||
| -rw-r--r-- | share/man/man9/suser.9 | 115 | ||||
| -rw-r--r-- | share/man/man9/ucred.9 | 6 | ||||
| -rw-r--r-- | share/man/man9/vfs_suser.9 | 5 | ||||
| -rw-r--r-- | sys/dev/cxgb/ulp/tom/cxgb_cpl_io.c | 4 | ||||
| -rw-r--r-- | sys/kern/kern_priv.c | 21 | ||||
| -rw-r--r-- | sys/netipx/ipx.c | 15 | ||||
| -rw-r--r-- | sys/nfsserver/nfs_serv.c | 6 | ||||
| -rw-r--r-- | sys/security/mac_bsdextended/mac_bsdextended.c | 32 | ||||
| -rw-r--r-- | sys/sys/priv.h | 6 |
12 files changed, 46 insertions, 171 deletions
diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc index 85e10be..445e6c1 100644 --- a/ObsoleteFiles.inc +++ b/ObsoleteFiles.inc @@ -14,6 +14,8 @@ # The file is partitioned: OLD_FILES first, then OLD_LIBS and OLD_DIRS last. # +# 20080917: removal of manpage for axed kernel primitive suser(9) +OLD_FILES+=usr/share/man/man9/suser.9 # 20080913: pax removed from rescue OLD_FILES+=rescue/pax # 20080823: removal of unneeded pt_chown, to implement grantpt(3) diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile index 54108ab..cc600ee 100644 --- a/share/man/man9/Makefile +++ b/share/man/man9/Makefile @@ -225,7 +225,6 @@ MAN= accept_filter.9 \ stack.9 \ store.9 \ style.9 \ - suser.9 \ swi.9 \ sx.9 \ SYSCALL_MODULE.9 \ @@ -1108,7 +1107,6 @@ MLINKS+=store.9 subyte.9 \ store.9 suswintr.9 \ store.9 susword.9 \ store.9 suword.9 -MLINKS+=suser.9 suser_cred.9 MLINKS+=swi.9 swi_add.9 \ swi.9 swi_sched.9 MLINKS+=sx.9 sx_assert.9 \ diff --git a/share/man/man9/priv.9 b/share/man/man9/priv.9 index 2756da9..def1ca3 100644 --- a/share/man/man9/priv.9 +++ b/share/man/man9/priv.9 @@ -48,7 +48,7 @@ passed thread, .Fa td , or credential, .Fa cred . -This interface replaces the +This interface replaces the now removed .Xr suser 9 privilege checking interface. Privileges typically represent rights in one of two categories: the right to @@ -112,7 +112,6 @@ failure occurred. .Sh SEE ALSO .Xr jail 2 , .Xr mac 9 , -.Xr suser 9 , .Xr ucred 9 .Sh AUTHORS The diff --git a/share/man/man9/suser.9 b/share/man/man9/suser.9 deleted file mode 100644 index 5411955..0000000 --- a/share/man/man9/suser.9 +++ /dev/null @@ -1,115 +0,0 @@ -.\" -.\" Copyright (c) 1996 Julian R Elischer -.\" All rights reserved. -.\" -.\" This code is derived from software contributed by Kenneth Stailey. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. The name of the author may not be used to endorse or promote products -.\" derived from this software without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, -.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED -.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD$ -.\" -.Dd August 30, 2007 -.Dt SUSER 9 -.Os -.Sh NAME -.Nm suser , -.Nm suser_cred -.Nd check if credentials have superuser privileges -.Sh SYNOPSIS -.In sys/priv.h -.Ft int -.Fn suser "struct thread *td" -.Ft int -.Fn suser_cred "struct ucred *cred" "int flag" -.Sh DESCRIPTION -The -.Fn suser -and -.Fn suser_cred -functions check if the credentials given include superuser powers. -.Pp -These interfaces have now been obsoleted by -.Xr priv 9 , -and are provided only for compatibility with third party kernel modules that -have not yet been updated to the new interface. -They should not be used in any new kernel code. -.Pp -The -.Fn suser -function is the most common, and should be used unless special -circumstances dictate otherwise. -.Pp -The -.Fn suser_cred -function should be used when the credentials to be checked are -not the thread's own, when there is no thread, when superuser -powers should be extended to imprisoned roots, or when the credential -to be checked is the real user rather than the effective user. -.Pp -Whether or not a privilege is permitted in a -.Xr jail 8 -depends on logic in -.Fn prison_priv_check . -.Pp -In general, privileges are assigned based on the effective user ID; in some -cases, the real user ID may be used. -.Pp -The -.Fa flags -field is currently unused. -.Pp -The -.Fn suser -and -.Fn suser_cred -functions note the fact that superuser powers have been used in the -process structure of the process specified. -Because part of their function is to notice -whether superuser powers have been used, -the functions should only be called after other permission -possibilities have been exhausted. -.Sh RETURN VALUES -The -.Fn suser -and -.Fn suser_cred -functions return 0 if the user has superuser powers and -.Er EPERM -otherwise. -This is the -.Em reverse logic -of some other implementations of -.Fn suser -in which a TRUE response indicates superuser powers. -.Sh SEE ALSO -.Xr chroot 2 , -.Xr jail 2 , -.Xr priv 9 -.Sh BUGS -The -.Fn suser -and -.Fn suser_cred -functions do not, in fact, record that superuser privileges have been -used, and have not done so since August 2000. diff --git a/share/man/man9/ucred.9 b/share/man/man9/ucred.9 index bd16fe3..40933a2 100644 --- a/share/man/man9/ucred.9 +++ b/share/man/man9/ucred.9 @@ -163,12 +163,6 @@ In these circumstances, the thread credential should be used, as it requires no locking to access safely, and remains stable for the duration of the call even in the face of a multi-threaded application changing the process credentials from another thread. -Primitives such as -.Xr suser 9 -will assume the use of -.Va td_ucred -unless explicitly specified using -.Xr suser_cred 9 . .Pp During a process credential update, the process lock must be held across check and update, to prevent race conditions. diff --git a/share/man/man9/vfs_suser.9 b/share/man/man9/vfs_suser.9 index 749557a..df68bc2 100644 --- a/share/man/man9/vfs_suser.9 +++ b/share/man/man9/vfs_suser.9 @@ -46,7 +46,7 @@ It will check to see if the thread passed in has the same credentials as the user that mounted the file system. If so, it returns 0, otherwise it returns what -.Xr suser 9 +.Xr priv_check 9 would have returned. .Sh RETURN VALUES The @@ -61,8 +61,7 @@ of some other implementations of in which a TRUE response indicates superuser powers. .Sh SEE ALSO .Xr chroot 2 , -.Xr jail 2 , -.Xr suser 9 +.Xr jail 2 .Sh HISTORY The .Fn vfs_suser diff --git a/sys/dev/cxgb/ulp/tom/cxgb_cpl_io.c b/sys/dev/cxgb/ulp/tom/cxgb_cpl_io.c index 952a05b..b12c367 100644 --- a/sys/dev/cxgb/ulp/tom/cxgb_cpl_io.c +++ b/sys/dev/cxgb/ulp/tom/cxgb_cpl_io.c @@ -1663,8 +1663,8 @@ t3_ip_ctloutput(struct socket *so, struct sockopt *sopt) if (error) return (error); - if (optval > IPTOS_PREC_CRITIC_ECP && !suser(curthread)) - return (EPERM); + if (optval > IPTOS_PREC_CRITIC_ECP) + return (EINVAL); inp = so_sotoinpcb(so); inp_wlock(inp); diff --git a/sys/kern/kern_priv.c b/sys/kern/kern_priv.c index 87cce77..100f6d4 100644 --- a/sys/kern/kern_priv.c +++ b/sys/kern/kern_priv.c @@ -133,24 +133,3 @@ priv_check(struct thread *td, int priv) return (priv_check_cred(td->td_ucred, priv, 0)); } - -/* - * Historical suser() wrapper functions, which now simply request PRIV_ROOT. - * These will be removed in the near future, and exist solely because - * the kernel and modules are not yet fully adapted to the new model. - */ -int -suser_cred(struct ucred *cred, int flags) -{ - - return (priv_check_cred(cred, PRIV_ROOT, flags)); -} - -int -suser(struct thread *td) -{ - - KASSERT(td == curthread, ("suser: td != curthread")); - - return (suser_cred(td->td_ucred, 0)); -} diff --git a/sys/netipx/ipx.c b/sys/netipx/ipx.c index 5ae0d4b..5761636 100644 --- a/sys/netipx/ipx.c +++ b/sys/netipx/ipx.c @@ -99,7 +99,7 @@ ipx_control(struct socket *so, u_long cmd, caddr_t data, struct ifnet *ifp, struct ifaddr *ifa; struct ipx_ifaddr *oia; int dstIsNew, hostIsNew; - int error = 0; + int error = 0, priv; /* * Find address for this interface, if it exists. @@ -135,12 +135,13 @@ ipx_control(struct socket *so, u_long cmd, caddr_t data, struct ifnet *ifp, return (0); } - if (td && (error = suser(td)) != 0) - return (error); - switch (cmd) { case SIOCAIFADDR: case SIOCDIFADDR: + priv = (cmd == SIOCAIFADDR) ? PRIV_NET_ADDIFADDR : + PRIV_NET_DELIFADDR; + if (td && (error = priv_check(td, priv)) != 0) + return (error); if (ifra->ifra_addr.sipx_family == AF_IPX) for (oia = ia; ia != NULL; ia = ia->ia_next) { if (ia->ia_ifp == ifp && @@ -154,6 +155,8 @@ ipx_control(struct socket *so, u_long cmd, caddr_t data, struct ifnet *ifp, case SIOCSIFADDR: case SIOCSIFDSTADDR: + if (td && (error = priv_check(td, PRIV_NET_SETLLADDR)) != 0) + return (error); if (ia == NULL) { oia = (struct ipx_ifaddr *) malloc(sizeof(*ia), M_IFADDR, @@ -183,6 +186,10 @@ ipx_control(struct socket *so, u_long cmd, caddr_t data, struct ifnet *ifp, ia->ia_broadaddr.sipx_addr.x_host = ipx_broadhost; } } + break; + default: + if (td && (error = priv_check(td, PRIV_NET_HWIOCTL)) != 0) + return (error); } switch (cmd) { diff --git a/sys/nfsserver/nfs_serv.c b/sys/nfsserver/nfs_serv.c index 15c6624..901a4bd 100644 --- a/sys/nfsserver/nfs_serv.c +++ b/sys/nfsserver/nfs_serv.c @@ -1802,7 +1802,8 @@ nfsrv_create(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, if (vap->va_type == VCHR && rdev == 0xffffffff) vap->va_type = VFIFO; if (vap->va_type != VFIFO && - (error = suser_cred(cred, 0))) { + (error = priv_check_cred(cred, PRIV_VFS_MKNOD_DEV, + 0))) { goto ereply; } vap->va_rdev = rdev; @@ -2024,7 +2025,8 @@ nfsrv_mknod(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, if (error) NDFREE(&nd, NDF_ONLY_PNBUF); } else { - if (vtyp != VFIFO && (error = suser_cred(cred, 0))) + if (vtyp != VFIFO && (error = priv_check_cred(cred, + PRIV_VFS_MKNOD_DEV, 0))) goto out; error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, vap); if (error) { diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c index cb993db..93befae 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.c +++ b/sys/security/mac_bsdextended/mac_bsdextended.c @@ -221,7 +221,7 @@ static int ugidfw_rulecheck(struct mac_bsdextended_rule *rule, struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode) { - int match; + int mac_granted, match, priv_granted; int i; /* @@ -372,9 +372,31 @@ ugidfw_rulecheck(struct mac_bsdextended_rule *rule, } /* + * MBI_APPEND should not be here as it should get converted to + * MBI_WRITE. + */ + priv_granted = 0; + mac_granted = rule->mbr_mode; + if ((acc_mode & MBI_ADMIN) && (mac_granted & MBI_ADMIN) == 0 && + priv_check_cred(cred, PRIV_VFS_ADMIN, 0) == 0) + priv_granted |= MBI_ADMIN; + if ((acc_mode & MBI_EXEC) && (mac_granted & MBI_EXEC) == 0 && + priv_check_cred(cred, (vap->va_type == VDIR) ? PRIV_VFS_LOOKUP : + PRIV_VFS_EXEC, 0) == 0) + priv_granted |= MBI_EXEC; + if ((acc_mode & MBI_READ) && (mac_granted & MBI_READ) == 0 && + priv_check_cred(cred, PRIV_VFS_READ, 0) == 0) + priv_granted |= MBI_READ; + if ((acc_mode & MBI_STAT) && (mac_granted & MBI_STAT) == 0 && + priv_check_cred(cred, PRIV_VFS_STAT, 0) == 0) + priv_granted |= MBI_STAT; + if ((acc_mode & MBI_WRITE) && (mac_granted & MBI_WRITE) == 0 && + priv_check_cred(cred, PRIV_VFS_WRITE, 0) == 0) + priv_granted |= MBI_WRITE; + /* * Is the access permitted? */ - if ((rule->mbr_mode & acc_mode) != acc_mode) { + if (((mac_granted | priv_granted) & acc_mode) != acc_mode) { if (ugidfw_logging) log(LOG_AUTHPRIV, "mac_bsdextended: %d:%d request %d" " on %d:%d failed. \n", cred->cr_ruid, @@ -400,12 +422,6 @@ ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap, int error, i; /* - * XXXRW: More specific privilege selection needed. - */ - if (suser_cred(cred, 0) == 0) - return (0); - - /* * Since we do not separately handle append, map append to write. */ if (acc_mode & MBI_APPEND) { diff --git a/sys/sys/priv.h b/sys/sys/priv.h index 4c0fdca..c56c99d 100644 --- a/sys/sys/priv.h +++ b/sys/sys/priv.h @@ -485,12 +485,6 @@ struct thread; struct ucred; int priv_check(struct thread *td, int priv); int priv_check_cred(struct ucred *cred, int priv, int flags); - -/* - * Continue to support external modules that rely on suser(9) -- for now. - */ -int suser(struct thread *td); -int suser_cred(struct ucred *cred, int flags); #endif #endif /* !_SYS_PRIV_H_ */ |
