Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 16 Jan 2002 15:29:12 +0300
From:      "Vladimir B.Grebenschikov" <vova@sw.ru>
To:        FreeBSD-gnats-submit@freebsd.org
Cc:        kmv@sw.ru
Subject:   kern/33940: quotactl allows compromise gid-quotas
Message-ID:  <E16QpBo-0000Mr-00@vbook.express.ru>
next in thread | raw e-mail | index | archive | help 

>Number:         33940
>Category:       kern
>Synopsis:       quotactl allows compromise gid-quotas
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 16 04:30:04 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Vladimir B. Grebenschikov
>Release:        FreeBSD 4.4-RELEASE i386
>Organization:
SW soft
>Environment:
System: FreeBSD 4.4-RELEASE i386
	also tried with RELENG_4
>Description:
	ufs_quotactl(mp, cmds, uid, arg, p)
	accepts uid (actually id) from syscall quotactl(2)

	if id == -1 (function asumes that id = p->p_cred->p_ruid):

/* code */
       if (uid == -1)
               uid = p->p_cred->p_ruid;
/* code */

	but, type of quota may be not USRQUOTA there.
	so user with uid X can access groupquota of gid X

>How-To-Repeat:
	
>Fix:

diff against RELENG_4:

diff -u -u -r1.17.2.3 ufs_vfsops.c
--- sys/ufs/ufs/ufs_vfsops.c      2001/10/14 19:08:16     1.17.2.3
+++ sys/ufs/ufs/ufs_vfsops.c      2002/01/16 12:08:38
@@ -103,10 +103,22 @@
 #else
        int cmd, type, error;
 
-       if (uid == -1)
-               uid = p->p_cred->p_ruid;
+       type = cmds & SUBCMDMASK;
        cmd = cmds >> SUBCMDSHIFT;
 
+        if (uid == -1) {
+                switch (type) {
+                case USRQUOTA: 
+                        uid = p->p_cred->p_ruid;
+                        break;
+                case GRPQUOTA: 
+                        uid = p->p_cred->p_rgid;
+                        break;
+                default: 
+                        return (EINVAL);
+                }
+        }
+
        switch (cmd) {
        case Q_SYNC:
                break;
@@ -119,7 +131,6 @@
                        return (error);
        }
 
-       type = cmds & SUBCMDMASK;
        if ((u_int)type >= MAXQUOTAS)
                return (EINVAL);
        if (vfs_busy(mp, LK_NOWAIT, 0, p))
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E16QpBo-0000Mr-00>