Re: kern/55675: ZFS mounts do not work with setuid programs

To: gnats-bugs%netbsd.org@localhost
Subject: Re: kern/55675: ZFS mounts do not work with setuid programs
From: Christos Zoulas <christos%zoulas.com@localhost>
Date: Sun, 11 Oct 2020 13:23:42 -0400

Perhaps expose groupmember in genfs_vnops.c instead of duplicating?

christos

> On Oct 11, 2020, at 11:20 AM, J. Hannken-Illjes <hannken%eis.cs.tu-bs.de@localhost> wrote:
> 
> The following reply was made to PR kern/55675; it has been noted by GNATS.
> 
> From: "J. Hannken-Illjes" <hannken%eis.cs.tu-bs.de@localhost>
> To: gnats-bugs%netbsd.org@localhost
> Cc:
> Subject: Re: kern/55675: ZFS mounts do not work with setuid programs
> Date: Sun, 11 Oct 2020 17:18:56 +0200
> 
> --Apple-Mail=_FD5C4126-8716-413F-A118-289775FC30E0
> Content-Type: multipart/mixed;
> 	boundary="Apple-Mail=_B35E756D-EA11-4561-B405-B28CD43E702E"
> 
> 
> --Apple-Mail=_B35E756D-EA11-4561-B405-B28CD43E702E
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain;
> 	charset=us-ascii
> 
> The attached diff should fix it -- please give it a try.
> 
> --
> J. Hannken-Illjes - hannken%eis.cs.tu-bs.de@localhost - TU Braunschweig
> 
> 
> --Apple-Mail=_B35E756D-EA11-4561-B405-B28CD43E702E
> Content-Disposition: attachment;
> 	filename=005_groupmember.diff
> Content-Type: application/octet-stream;
> 	x-unix-mode=0644;
> 	name="005_groupmember.diff"
> Content-Transfer-Encoding: 7bit
> 
> groupmember
> 
> Stub groupmember() has to test both group list and current group id.
> 
> Should fix kern/55675: ZFS mounts do not work with setuid programs
> 
> diff -r 24849a7159a2 -r 46d585baea20 external/cddl/osnet/sys/sys/cred.h
> --- external/cddl/osnet/sys/sys/cred.h
> +++ external/cddl/osnet/sys/sys/cred.h
> @@ -70,10 +70,12 @@ extern kauth_cred_t	cred0;
>  static __inline int
>  groupmember(gid_t gid, cred_t *cr)
>  {
> -	int result;
> +	int result, error;
> 
> -	kauth_cred_ismember_gid(cr, gid, &result);
> -	return result;
> +	error = kauth_cred_ismember_gid(cr, gid, &result);
> +	if (error)
> +		return 0;
> +	return (kauth_cred_getegid(cr) == gid || result);
>  }
> 
>  #endif	/* _KERNEL */
> 
> --Apple-Mail=_B35E756D-EA11-4561-B405-B28CD43E702E--
> 
> --Apple-Mail=_FD5C4126-8716-413F-A118-289775FC30E0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: attachment;
> 	filename=signature.asc
> Content-Type: application/pgp-signature;
> 	name=signature.asc
> Content-Description: Message signed with OpenPGP
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQEzBAEBCAAdFiEE2BL3ha7Xao4WUZVYKoaVJdNr+uEFAl+DImAACgkQKoaVJdNr
> +uHWgQf/QUVUBgLrj9KxITjfvbZJHbA1Ed0dgPLDEOtoHtkjnvxFHmbPOQZmaczy
> +/T4oGi8ksFov5Z2FFP/DZvVa0Vfui2M7z58QFe+nhNq62gpld2xHdgqfL/rCQhC
> wclQGUEj2NsZEf/Zh4Fz45v4IkI1OnxA3UUx2IEx22y6G1h4MNBgyNdZh3qKaVfg
> zbNsBSDwvz2FGZOhIJ/MI+sefmC3WMC6P7EFKysU9DhQs1YJxUx3OxxYraPl78KV
> 7QzZTl6y7fK47dbHK4pGL+ax+z2K2+tKla4pSWaXdVdDKuF1QZIr6QEgQw7lNzkx
> EuNnMqadgX4frXr2tNHZUmkonO7MTQ==
> =kcVi
> -----END PGP SIGNATURE-----
> 
> --Apple-Mail=_FD5C4126-8716-413F-A118-289775FC30E0--
>

Attachment: signature.asc
Description: Message signed with OpenPGP

References:
- Re: kern/55675: ZFS mounts do not work with setuid programs
  - From: J. Hannken-Illjes

Prev by Date: Re: kern/55716: missing bus_dmamap_unload() in siisata error handling path
Next by Date: Re: kern/55675: ZFS mounts do not work with setuid programs
Previous by Thread: Re: kern/55675: ZFS mounts do not work with setuid programs
Next by Thread: Re: kern/55675: ZFS mounts do not work with setuid programs
Indexes:

Home | Main Index | Thread Index | Old Index