tech-kern archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: quotactl permissions
On Wed, Sep 05, 2012 at 10:54:43AM -0400, Thor Lancelot Simon wrote:
> On Wed, Sep 05, 2012 at 12:34:16PM +0000, Emmanuel Dreyfus wrote:
> > On Wed, Sep 05, 2012 at 06:37:27AM +0000, David Holland wrote:
> > > Changing it to effective uid seems like a good plan.
> >
> > The change below fixes the test case. Is it safe to commit?
>
> It fixes the test case, but it is still wrong. This UID check
> needs to be implemented in the kauth listener (adding a specific
> case for this action if there's not one) not open-coded in the UFS code.
Here's a (completely untested) patch that should do that.
eric
Index: secmodel/suser/secmodel_suser.c
===================================================================
RCS file: /space/netbsd/NetBSD-cvs/src/sys/secmodel/suser/secmodel_suser.c,v
retrieving revision 1.39
diff -u -r1.39 secmodel_suser.c
--- secmodel/suser/secmodel_suser.c 13 Mar 2012 18:41:02 -0000 1.39
+++ secmodel/suser/secmodel_suser.c 5 Sep 2012 16:56:44 -0000
@@ -268,6 +268,13 @@
case KAUTH_SYSTEM_FS_QUOTA:
switch (req) {
case KAUTH_REQ_SYSTEM_FS_QUOTA_GET:
+ /* The user can always query about his own quota. */
+ if (id == kauth_cred_geteuid(l->l_cred))
+ {
+ result = KAUTH_RESULT_ALLOW;
+ break;
+ }
+ /* FALLTHROUGH */
case KAUTH_REQ_SYSTEM_FS_QUOTA_ONOFF:
case KAUTH_REQ_SYSTEM_FS_QUOTA_MANAGE:
case KAUTH_REQ_SYSTEM_FS_QUOTA_NOLIMIT:
Index: ufs/ufs/ufs_quota.c
===================================================================
RCS file: /space/netbsd/NetBSD-cvs/src/sys/ufs/ufs/ufs_quota.c,v
retrieving revision 1.109
diff -u -r1.109 ufs_quota.c
--- ufs/ufs/ufs_quota.c 18 Feb 2012 06:13:23 -0000 1.109
+++ ufs/ufs/ufs_quota.c 5 Sep 2012 16:57:32 -0000
@@ -331,16 +331,6 @@
return 0;
}
-/* XXX shouldn't all this be in kauth ? */
-static int
-quota_get_auth(struct mount *mp, struct lwp *l, uid_t id) {
- /* The user can always query about his own quota. */
- if (id == kauth_cred_getuid(l->l_cred))
- return 0;
- return kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_FS_QUOTA,
- KAUTH_REQ_SYSTEM_FS_QUOTA_GET, mp, KAUTH_ARG(id), NULL);
-}
-
static int
quota_handle_cmd_get(struct mount *mp, struct lwp *l,
struct quotactl_args *args)
@@ -357,7 +347,8 @@
if ((ump->um_flags & (UFS_QUOTA|UFS_QUOTA2)) == 0)
return EOPNOTSUPP;
- error = quota_get_auth(mp, l, qk->qk_id);
+ error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_FS_QUOTA,
+ KAUTH_REQ_SYSTEM_FS_QUOTA_GET, mp, KAUTH_ARG(qk->qk_id), NULL);
if (error != 0)
return error;
#ifdef QUOTA
Home |
Main Index |
Thread Index |
Old Index