Date: Sun, 24 Aug 2008 20:50:30 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 148281 for review Message-ID: <200808242050.m7OKoUw1064835@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=148281 Change 148281 by rwatson@rwatson_freebsd_capabilities on 2008/08/24 20:50:22 Don't allow setuid/setgid/MAC transition in capability mode for reasons of conservatism; comment on this. Affected files ... .. //depot/projects/trustedbsd/capabilities/src/sys/kern/kern_exec.c#12 edit Differences ... ==== //depot/projects/trustedbsd/capabilities/src/sys/kern/kern_exec.c#12 (text+ko) ==== @@ -631,6 +631,13 @@ * Don't honor setuid/setgid if the filesystem prohibits it or if * the process is being traced. * + * We disable setuid/setgid/etc in capability mode on the basis that + * most setugid applications are not written with that environment in + * mind, and will therefore almost certainly operate incorrectly. In + * principle there's no reason that setugid applications might not be + * useful in capability mode, so we may want to reconsider this + * conservative design choice in the future. + * * XXXMAC: For the time being, use NOSUID to also prohibit * transitions on the file system. */ @@ -647,6 +654,7 @@ #endif if (credential_changing && + (oldcred->cr_flags & CRED_FLAG_CAPMODE) == 0 && (imgp->vp->v_mount->mnt_flag & MNT_NOSUID) == 0 && (p->p_flag & P_TRACED) == 0) { /*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808242050.m7OKoUw1064835>