Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 14 Jun 2003 23:36:19 -0700 (PDT)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   cvs commit: src/sys/ufs/ufs quota.h ufs_quota.c ufs_vfsops.c
Message-ID:  <200306150636.h5F6aJ8K075389@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help 
rwatson     2003/06/14 23:36:19 PDT

  FreeBSD src repository

  Modified files:
    sys/ufs/ufs          quota.h ufs_quota.c ufs_vfsops.c 
  Log:
  Re-implement kernel access control for quotactl() as found in the
  UFS quota implementation.  Push some quite broken access control
  logic out of ufs_quotactl() into the individual command
  implementations in ufs_quota.c; fix that logic.  Pass in the thread
  argument to any quotactl command that will need to perform access
  control.
  
  o quotaon() requires privilege (PRISON_ROOT).
  
  o quotaoff() requires privilege (PRISON_ROOT).
  
  o getquota() requires that:
  
      If the type is USRQUOTA, either the effective uid match the
      requested quota ID, that the unprivileged_get_quota flag be
      set, or that the thread be privileged (PRISON_ROOT).
  
      If the type is GRPQUOTA, require that either the thread be
      a member of the group represented by the requested quota ID,
      that the unprivileged_get_quota flag be set, or that the
      thread be privileged (PRISON_ROOT).
  
  o setquota() requires privilege (PRISON_ROOT).
  
  o setuse() requires privilege (PRISON_ROOT).
  
  o qsync() requires no special privilege (consistent with what
    was present before, but probably not very useful).
  
  Add a new sysctl, security.bsd.unprivileged_get_quota, which when
  set to a non-zero value, will permit unprivileged users to query user
  quotas with non-matching uids and gids.  Set this to 0 by default
  to be mostly consistent with the previous behavior (the same for
  USRQUOTA, but not for GRPQUOTA).
  
  Obtained from:  TrustedBSD Project
  Sponsored by:   DARPA, Network Associates Laboratories
  
  Revision  Changes    Path
  1.25      +3 -3      src/sys/ufs/ufs/quota.h
  1.65      +51 -3     src/sys/ufs/ufs/ufs_quota.c
  1.37      +4 -17     src/sys/ufs/ufs/ufs_vfsops.c

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306150636.h5F6aJ8K075389>