Date: Mon, 3 Nov 1997 21:07:53 +0500 (ES) From: Vasim Valejev <vasim@uddias.diaspro.com> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: kern/4927: kernel does not check any quota and permissions after setuid() on opened files Message-ID: <199711031607.VAA20558@uddias.diaspro.com> Resent-Message-ID: <199711031610.IAA10925@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 4927
>Category: kern
>Synopsis: kernel does not check any quota and permissions after setuid() on opened files
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Nov 3 08:10:01 PST 1997
>Last-Modified:
>Originator: Vasim Valejev
>Organization:
DiasPro
>Release: FreeBSD 3.0-CURRENT i386
>Environment:
FreeBSD 3.0-CURRENT (FreeBSD 2.2-STABLE too)
>Description:
If program running as root opens file and setuids to other user , it still can read/write to this file as root (without check quotas and file permissions) .
>How-To-Repeat:
Create account 'testquot' and set quota for this account on /var partition to 20 blocks (hard and soft limits) . Then run next program from root's shell :
#include <sys/types.h>
#include <sys/uio.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <stdio.h>
#include <pwd.h>
#include <unistd.h>
#define BLOCK_QUOTA 50
#define TEST_ACCOUNT "testquot"
#define TEST_FILE "/var/tmp/test_for_quota"
main ()
{
int fd;
char *buffer;
struct passwd *pw;
buffer = (char *) malloc(BLOCK_QUOTA * 512);
memset(buffer, 245, BLOCK_QUOTA * 512);
if ((pw = getpwnam(TEST_ACCOUNT)) == NULL)
{
fprintf(stderr, "Create account %s first !\n", TEST_ACCOUNT);
exit(1);
}
if ((fd = open(TEST_FILE, O_CREAT | O_EXCL | O_WRONLY)) == -1)
{
perror("open");
exit(1);
}
if (fchmod(fd, S_IRUSR | S_IWUSR) == -1)
{
perror("fchmod");
exit(1);
}
if (setuid(pw->pw_uid) == -1)
{
fprintf(stderr, "Cant setuid to uid %d !\n", pw->pw_uid);
exit(1);
}
write(fd, buffer, BLOCK_QUOTA * 512);
close(fd);
printf("try du -s %s\n", TEST_FILE);
}
File /var/tmp/test_for_quota will have size 50 blocks :( .
It looks not good . Some program can work not right . For example - mail.local from sendmail 8.8.7 - it does setreuid() before write to user's mailbox (and after open()) but quotas for users mailboxes does not work !
>Fix:
Don't know .
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199711031607.VAA20558>