summaryrefslogtreecommitdiffstats
path: root/sys/kern/kern_prot.c
Commit message (Collapse)AuthorAgeFilesLines
* o Disable flagging of ASU in suser_xxx() authorization check. For therwatson2000-08-301-2/+0
| | | | | | | | | | | | time being, the ASU accounting flag will no longer be available, but may be reinstituted in the future once authorization have been redone. As it is, the kernel went through contortions in access control to avoid calling suser, which always set the flag. This will also allow suser to accept const struct *{cred, proc} arguments. Reviewed by: bde, green, phk, freebsd-security, others Approved by: bde Obtained from: TrustedBSD Project
* fix races in the uidinfo subsystem, several problems existed:alfred2000-06-221-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | 1) while allocating a uidinfo struct malloc is called with M_WAITOK, it's possible that while asleep another process by the same user could have woken up earlier and inserted an entry into the uid hash table. Having redundant entries causes inconsistancies that we can't handle. fix: do a non-waiting malloc, and if that fails then do a blocking malloc, after waking up check that no one else has inserted an entry for us already. 2) Because many checks for sbsize were done as "test then set" in a non atomic manner it was possible to exceed the limits put up via races. fix: instead of querying the count then setting, we just attempt to set the count and leave it up to the function to return success or failure. 3) The uidinfo code was inlining and repeating, lookups and insertions and deletions needed to be in their own functions for clarity. Reviewed by: green
* o bde suggested moving the SYSCTL from kern_mib to the more appropriaterwatson2000-06-051-0/+6
| | | | | | | | kern_prot, which cleans up some namespace issues o Don't need a special handler to limit un-setting, as suser is used to protect suser_permitted, making it one-way by definition. Suggested by: bde
* o Introduce kern.suser_permitted, a sysctl that disables the suser_xxx()rwatson2000-06-051-0/+2
| | | | | | | | | | | | | | | returning anything but EPERM. o suser is enabled by default; once disabled, cannot be reenabled o To be used in alternative security models where uid0 does not connote additional privileges o Should be noted that uid0 still has some additional powers as it owns many important files and executables, so suffers from the same fundamental security flaws as securelevels. This is fixed with MAC integrity protection code (in progress) o Not safe for consumption unless you are *really* sure you don't want things like shutdown to work, et al :-) Obtained from: TrustedBSD Project
* Make issetugid return correctly. It was returning -1 withpeter2000-05-091-2/+1
| | | | | | errno == 1 if it was set?id! Submitted by: Valentin Nechayev <netch@segfault.kiev.ua>
* Make the sigprocmask() and geteuid() system calls MP SAFE. Expanddillon2000-04-021-6/+9
| | | | | | | commentary for copyin/copyout to indicate that they are MP SAFE as well. Reviewed by: msmith
* Commit major SMP cleanups and move the BGL (big giant lock) in thedillon2000-03-281-1/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | syscall path inward. A system call may select whether it needs the MP lock or not (the default being that it does need it). A great deal of conditional SMP code for various deadended experiments has been removed. 'cil' and 'cml' have been removed entirely, and the locking around the cpl has been removed. The conditional separately-locked fast-interrupt code has been removed, meaning that interrupts must hold the CPL now (but they pretty much had to anyway). Another reason for doing this is that the original separate-lock for interrupts just doesn't apply to the interrupt thread mechanism being contemplated. Modifications to the cpl may now ONLY occur while holding the MP lock. For example, if an otherwise MP safe syscall needs to mess with the cpl, it must hold the MP lock for the duration and must (as usual) save/restore the cpl in a nested fashion. This is precursor work for the real meat coming later: avoiding having to hold the MP lock for common syscalls and I/O's and interrupt threads. It is expected that the spl mechanisms and new interrupt threading mechanisms will be able to run in tandem, allowing a slow piecemeal transition to occur. This patch should result in a moderate performance improvement due to the considerable amount of code that has been removed from the critical path, especially the simplification of the spl*() calls. The real performance gains will come later. Approved by: jkh Reviewed by: current, bde (exception.s) Some work taken from: luoqi's patch
* Implement setres[ug]id() and getres[ug]id(). This has been sitting inpeter2000-01-161-0/+158
| | | | | | | my tree for ages (~2 years) waiting for an excuse to commit it. Now Linux has implemented it and it seems that Staroffice (when using the linux_base6.1 port's libc) calls this in the linux emulator and dies in setup. The Linux emulator can call these now.
* Handle the case where we truss an SUGID program -- in particular, we needsef2000-01-101-1/+1
| | | | | | | | to wake up any processes waiting via PIOCWAIT on process exit, and truss needs to be more aware that a process may actually disappear while it's waiting. Reviewed by: Paul Saab <ps@yahoo-inc.com>
* truss /usr/bin/suphk2000-01-031-2/+2
| | | | | | | | | | | | | | | | login (or not if root) then exit the shell truss will get stuct in tsleep I dont know if this is correct, but it fixes the problem and according to the commends in pioctl.h, PF_ISUGID is set when we want to ignore UID changes. The code is checking for when PF_ISUGID is not set and since it never is set, we always ignore UID changes. Submitted by: Paul Saab <ps@yahoo-inc.com>
* Introduce the new functionphk1999-11-211-0/+25
| | | | | | | | | | | | | | p_trespass(struct proc *p1, struct proc *p2) which returns zero or an errno depending on the legality of p1 trespassing on p2. Replace kern_sig.c:CANSIGNAL() with call to p_trespass() and one extra signal related check. Replace procfs.h:CHECKIO() macros with calls to p_trespass(). Only show command lines to process which can trespass on the target process.
* Trim unused options (or #ifdef for undoc options).peter1999-10-111-1/+0
| | | | Submitted by: phk
* $Id$ -> $FreeBSD$peter1999-08-281-1/+1
|
* This Implements the mumbled about "Jail" feature.phk1999-04-281-19/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a seriously beefed up chroot kind of thing. The process is jailed along the same lines as a chroot does it, but with additional tough restrictions imposed on what the superuser can do. For all I know, it is safe to hand over the root bit inside a prison to the customer living in that prison, this is what it was developed for in fact: "real virtual servers". Each prison has an ip number associated with it, which all IP communications will be coerced to use and each prison has its own hostname. Needless to say, you need more RAM this way, but the advantage is that each customer can run their own particular version of apache and not stomp on the toes of their neighbors. It generally does what one would expect, but setting up a jail still takes a little knowledge. A few notes: I have no scripts for setting up a jail, don't ask me for them. The IP number should be an alias on one of the interfaces. mount a /proc in each jail, it will make ps more useable. /proc/<pid>/status tells the hostname of the prison for jailed processes. Quotas are only sensible if you have a mountpoint per prison. There are no privisions for stopping resource-hogging. Some "#ifdef INET" and similar may be missing (send patches!) If somebody wants to take it from here and develop it into more of a "virtual machine" they should be most welcome! Tools, comments, patches & documentation most welcome. Have fun... Sponsored by: http://www.rndassociates.com/ Run for almost a year by: http://www.servetheweb.com/
* Change suser_xxx() to suser() where it applies.phk1999-04-271-10/+10
|
* Suser() simplification:phk1999-04-271-12/+19
| | | | | | | | | | | | | | | | | | | 1: s/suser/suser_xxx/ 2: Add new function: suser(struct proc *), prototyped in <sys/proc.h>. 3: s/suser_xxx(\([a-zA-Z0-9_]*\)->p_ucred, \&\1->p_acflag)/suser(\1)/ The remaining suser_xxx() calls will be scrutinized and dealt with later. There may be some unneeded #include <sys/cred.h>, but they are left as an exercise for Bruce. More changes to the suser() API will come along with the "jail" code.
* Fix warnings in preparation for adding -Wall -Wcast-qual to thedillon1999-01-281-9/+9
| | | | kernel compile
* getpgid() and getsid() were doing a comparision rather than an assignment,truckman1998-12-131-5/+11
| | | | | which is fortunate, because otherwise another bug would allow them to be used to stomp on the syscall return value of another process.
* add #include <sys/kernel.h> where it's needed by MALLOC_DEFINE()peter1998-11-101-1/+2
|
* If the session leader dies, s_leader is set to NULL and getsid() maytruckman1998-11-091-2/+2
| | | | | | | | | | | | | | | | | | | | | | dereference a NULL pointer, causing a panic. Instead of following s_leader to find the session id, store it in the session structure. Jukka found the following info: BTW - I just found what I have been looking for. Std 1003.1 Part 1: SYSTEM API [C LANGUAGE] section 2.2.2.80 states quite explicitly... Session lifetime: The period between when a session is created and the end of lifetime of all the process groups that remain as members of the session. So, this quite clearly tells that while there is any single process in any process group which is a member of the session, the session remains as an independent entity. Reviewed by: peter Submitted by: "Jukka A. Ukkonen" <jau@jau.tmt.tele.fi>
* 64bit fixes: use size_t not u_int for sizes.dfr1998-06-101-2/+2
|
* Clear the p_stops field on change of user/group id, unless the correctsef1997-12-201-16/+26
| | | | | | | | | flag is set in the p_pfsflags field. This, essentially, prevents an SUID proram from hanging after being traced. (E.g., "truss /usr/bin/rlogin" would fail, but leave rlogin in a stopevent state.) Yet another case where procctl is (hopefully ;)) no longer needed in the general case. Reviewed by: bde (thanks bruce :))
* Make COMPAT_43 and COMPAT_SUNOS new-style options.eivind1997-12-161-1/+3
|
* Move the "retval" (3rd) parameter from all syscall functions and putphk1997-11-061-60/+38
| | | | | | | | | | | | it in struct proc instead. This fixes a boatload of compiler warning, and removes a lot of cruft from the sources. I have not removed the /*ARGSUSED*/, they will require some looking at. libkvm, ps and other userland struct proc frobbing programs will need recompiled.
* Killed non-sensical call to splimp/splx in crfree().dg1997-10-171-5/+1
|
* Last major round (Unless Bruce thinks of somthing :-) of malloc changes.phk1997-10-121-1/+3
| | | | | | | | Distribute all but the most fundamental malloc types. This time I also remembered the trick to making things static: Put "static" in front of them. A couple of finer points by: bde
* Implement XPG/SYSV-style getpgid()/getsid() syscalls. getpgid() uses thepeter1997-08-191-1/+50
| | | | | | same syscall number as NetBSD/OpenBSD. The getpgid() came from NetBSD (I think) originally, but it's basically cut/paste/edit from the other simple get*() syscalls.
* Removed unused #includes.bde1997-08-021-4/+1
|
* Don't incorrectly set P_SUGID in setre[ug]id() for no reason, as noticedpeter1997-04-021-5/+9
| | | | | | | by bde. Don't return EPERM in setre[ug]id() just because the caller passes in the current effective id in the second arg (ie: no change), as suggested by ache.
* Implement code for an OpenBSD-style issetuigid().peter1997-03-311-1/+26
| | | | | | | | | | | | | | | | This is valueable for library code which needs to be able to find out whether the current process is or *was* set[ug]id at some point in the past, and may have a "tainted" execution environment. This is especially a problem with the trend to immediately revoke privs at startup and regain them for critical sections. One problem with this is that if a cracker is able to compromise the program while it's still got a saved id, the cracker can direct the program to regain the privs. Another problem is that the user may be able to affect the program in some other way (eg: setting resolver host aliases) and the library code needs to know when it should disable these sorts of features. Reviewed by: ache Inspired by: OpenBSD (but with a different implementation)
* Do not set the P_SUGID flag in seteuid()/setegid() if nothing has changed.peter1997-03-311-11/+20
| | | | | | (for supporting issetugid()) Reviewed by: ache (as was the previous commit, rev 1.29)
* Do not set the P_SUGID flag in seteuid()/setegid() if nothing has changed.peter1997-03-311-9/+15
| | | | (for supporting issetugid())
* Fully implement the clause in Appendix B.4.2.2 from Posix 1003.1peter1997-03-311-31/+132
| | | | | | | | | | | | | | | that allows traditional BSD setuid/setgid behavior. The only visible difference should be that a non-root setuid program (eg: inn's "rnews" program) that is setuid to news, can completely "become" uid news. (ie: setuid(geteuid()) This was allowed in traditional 4.2/4.3BSD and is now "blessed" by Posix as a special case of "appropriate privilige". Also, be much more careful with the P_SUGID flag so that we can use it for issetugid() - only set it if something changed. Reviewed by: ache
* Make setgroups(0, xxx) behave as it does on SYSV, namely clear the groupspeter1997-03-311-6/+20
| | | | | | | | | | | | vector except for the egid in groups[0]. There is a risk that programs that come from SYSV/Linux that expect this to work and don't check for error returns may accidently pass root's groups on to child processes. We now do what is least suprising (to non BSD programs/programmers) in this scenario, and nothing is changed for programs written with BSD groups rules in mind. Reviewed by: ache
* Oops, fix typo.ache1997-03-031-2/+2
|
* Don't copy more than MAXLOGNAME bytes in getlogin() syscall,ache1997-03-031-3/+3
| | | | it is stricter than padded s_login size check was there.
* Use MAXLOGNAME for stricter size check in setlogin() syscall instead ofache1997-03-031-3/+3
| | | | sizeof of padded s_login array
* Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are notpeter1997-02-221-1/+1
| | | | ready for it yet.
* Fix off by one error in setlogin() syscall.davidn1997-02-101-3/+6
| | | | Don't overwrite session login unless the call is going to succeed.
* Make the long-awaited change from $Id$ to $FreeBSD$jkh1997-01-141-1/+1
| | | | | | | | This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long. Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
* Fixed setpgid(). Negative pgids were accepted.bde1996-12-191-1/+3
| | | | Found by: NIST-PCTS
* Added #include of <unistd.h> so that there is some chance thatbde1996-09-031-1/+2
| | | | | _POSIX_SAVED_IDS is defined. This feature was broken for a day or two.
* Conditionalize POSIX saved ids code on _POSIX_SAVED_IDS defineache1996-09-011-4/+22
|
* Fix a panic caused by (proc)->p_session being dereferenced for a processdg1996-05-301-2/+2
| | | | that was exiting.
* Included <sys/sysproto.h> to get central declarations for syscall argsbde1995-11-121-1/+40
| | | | | | | | | | structs and prototypes for syscalls. Ifdefed duplicated decentralized declarations of args structs. It's convenient to have this visible but they are hard to maintain. Some are already different from the central declarations. 4.4lite2 puts them in comments in the function headers but I wanted to avoid the large changes for that.
* Fixed type of setsid(). It used used the bogus `getsid_args'.bde1995-11-111-3/+3
|
* Return EINVAL if the number of groups is less than 1 in setgroups().dg1995-11-041-2/+3
| | | | Obtained from: 4.4BSD-Lite2
* Remove prototype definitions from <sys/systm.h>.swallace1995-10-081-10/+37
| | | | | | | | | | | | | | Prototypes are located in <sys/sysproto.h>. Add appropriate #include <sys/sysproto.h> to files that needed protos from systm.h. Add structure definitions to appropriate files that relied on sys/systm.h, right before system call definition, as in the rest of the kernel source. In kern_prot.c, instead of using the dummy structure "args", create individual dummy structures named <syscall>_args. This makes life easier for prototype generation.
* Optimized and simplified version of setreuid/gidache1995-06-151-34/+33
| | | | | Fixed: lack of crcopy in certain conditions, lack of setting sv[ug]id in certain conditions. Fixes non-critical.
* set[ug]id(): call suser() only when neccesarryache1995-04-291-9/+9
| | | | Submitted by: bde
OpenPOWER on IntegriCloud