From luigi@prova.iet.unipi.it  Tue Jun 10 14:53:37 1997
Received: from prova.iet.unipi.it (prova1.iet.unipi.it [131.114.9.11])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA06028
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 10 Jun 1997 14:53:34 -0700 (PDT)
Received: (from luigi@localhost)
	by prova.iet.unipi.it (8.8.5/8.8.5) id XAA01012;
	Tue, 10 Jun 1997 23:54:19 +0200 (CEST)
Message-Id: <199706102154.XAA01012@prova.iet.unipi.it>
Date: Tue, 10 Jun 1997 23:54:19 +0200 (CEST)
From: Luigi Rizzo <luigi@iet.unipi.it>
Reply-To: luigi@iet.unipi.it
To: FreeBSD-gnats-submit@freebsd.org
Subject: new feature for rtprio
X-Send-Pr-Version: 3.2

>Number:         3837
>Category:       bin
>Synopsis:       new feature for rtprio
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    dougb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 10 15:00:01 PDT 1997
>Closed-Date:    Sun Mar 02 14:49:39 PST 2003
>Last-Modified:  Sun Mar 02 14:49:39 PST 2003
>Originator:     Luigi Rizzo
>Release:        FreeBSD 2.2.1-RELEASE i386
>Organization:
Dip. Ing. Informazione Univ. Pisa
>Environment:

>Description:

	This patch allows users listed in /etc/rtprio.conf to set
	realtime priorities for processes. Useful to let non-root
	users burn CDs. I also include the small manpage change.


>How-To-Repeat:

>Fix:
	
--- rtprio.1.orig	Fri Mar  7 08:45:39 1997
+++ rtprio.1	Tue Jun 10 23:47:26 1997
@@ -107,8 +107,15 @@
 .Ar Pid
 of 0 means "the current process".
 .Pp
-Only root is allowed to set realtime priorities. Non-root processes may
+Only root or users listed in
+.Ar /etc/rtprio.conf
+are
+allowed to set realtime priorities. Non-allowed processes may
 set idle priority levels for the current process only.
+.Pp
+.Ar /etc/rtprio.conf
+must be be a regular file owned by root and not writable by other users.
+It contains one username per line, starting at the beginning of the line.
 .Sh RETURN VALUE
 If
 .Nm rtprio
--- rtprio.c.orig	Sun Oct  2 05:48:21 1994
+++ rtprio.c	Tue Jun 10 23:43:07 1997
@@ -46,6 +46,77 @@
 
 static void usage();
 
+/*
+ * this module checks which modules are allowed to set rtpriority.
+ * Allowed users are listed in /etc/rtprio.conf, which must not be
+ * writable by others than root. One user per line, starting at
+ * the beginning.
+ *
+ */
+
+#include <syslog.h>
+#include <pwd.h>
+#include <sys/stat.h>
+
+#define	_PATH_RTPRIOCONF	"/etc/rtprio.conf"
+
+int
+allowed_user()
+{
+    FILE  *fp;
+    char   line[BUFSIZ];
+    int    lineno = 0 ;
+    int    end ;
+    uid_t  uid;
+    struct passwd *pw;
+    struct stat sb;
+
+    uid = getuid() ;
+    if (uid == 0)
+	return 1;	/* root is always allowed */
+
+    if (stat(_PATH_RTPRIOCONF, &sb))
+	return 0;
+
+    /*
+     * the access control file must be a regular file, owned by
+     * root and not writable by others
+     *
+     */
+    if ( (sb.st_uid != 0) || ( (sb.st_mode & S_IFMT) != S_IFREG) ||
+	 ( (sb.st_mode & (S_IWGRP | S_IWOTH)) != 0 ) ) {
+	syslog(LOG_ERR, "%s: bad permissions, ignoring it",
+		_PATH_RTPRIOCONF);
+	return 0 ;
+    }
+    /* should check that _PATH_RTPRIOCONF is only writable by root. */
+
+    if (fp = fopen(_PATH_RTPRIOCONF, "r")) {
+	while (fgets(line, sizeof(line), fp)) {
+	    lineno++;
+	    if (line[end = strlen(line) - 1] != '\n') {
+		syslog(LOG_ERR, "%s: line %d: missing newline or line too long",
+			_PATH_RTPRIOCONF, lineno);
+		continue;
+	    }
+	    while (end > 0 && isspace(line[end - 1]))
+		end--;
+	    line[end] = 0;
+	    if (line[0] == 0)
+		continue;
+	    pw = getpwnam(line) ;
+	    if ( pw && pw->pw_uid == uid ) {
+		fclose(fp);
+		return 1 ;
+	    }
+	}
+	fclose(fp);
+    }
+    syslog(LOG_ERR, "%s: userid %d not allowed",
+	_PATH_RTPRIOCONF, uid);
+    return 0 ;
+}
+
 int
 main(argc, argv)
 	int     argc;
@@ -55,6 +126,7 @@
 	int     proc = 0;
 	struct rtprio rtp;
 
+	seteuid( getuid() );	/* drop privileges immediately */
 	/* find basename */
 	if ((p = rindex(argv[0], '/')) == NULL)
 		p = argv[0];
@@ -113,10 +185,13 @@
 		if (argv[2][0] == '-')
 			proc = -atoi(argv[2]);
 
+		if (allowed_user())
+			seteuid(0);	/* raise privilege */
 		if (rtprio(RTP_SET, proc, &rtp) != 0) {
 			perror(argv[0]);
 			exit (1);
 		}
+		seteuid(getuid());	/* lower privilege again */
 
 		if (proc == 0) {
 			execvp(argv[2], &argv[2]);
>Release-Note:
>Audit-Trail:

From: j@uriah.heep.sax.de (J Wunsch)
To: luigi@iet.unipi.it
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/3837: new feature for rtprio
Date: Sun, 15 Jun 1997 16:33:09 +0200

 As Luigi Rizzo wrote:
 
 > 	This patch allows users listed in /etc/rtprio.conf to set
 > 	realtime priorities for processes. Useful to let non-root
 > 	users burn CDs. I also include the small manpage change.
 
 Sorry to take you down on this, but i don't like it.  If we start to
 create /etc/foo.conf for every foo that requires root privileges, we
 won't ever come to an end.
 
 Your problem is exactly what things like suidperl or sudo have been
 made for.  This has the additional advantage that you don't need to
 trust some user more than the other, but only need to trust some
 application to not abuse the feature.
 
 (Also see my other mail, rtprio is probably not needed for CD-Rs at
 all.)
 
 What do other people think?
 
 -- 
 cheers, J"org
 
 joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
 Never trust an operating system you don't have sources for. ;-)

From: Luigi Rizzo <luigi@labinfo.iet.unipi.it>
To: joerg_wunsch@uriah.heep.sax.de
Cc: luigi@iet.unipi.it, FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/3837: new feature for rtprio
Date: Tue, 17 Jun 1997 09:53:12 +0200 (MET DST)

 > As Luigi Rizzo wrote:
 > 
 > > 	This patch allows users listed in /etc/rtprio.conf to set
 > > 	realtime priorities for processes. Useful to let non-root
 > > 	users burn CDs. I also include the small manpage change.
 > 
 > Sorry to take you down on this, but i don't like it.  If we start to
 > create /etc/foo.conf for every foo that requires root privileges, we
 > won't ever come to an end.
 
 agreed. Jordan already pointed this out, and suggested the use of
 login.conf for this (and other similar) capability.
 
 The problem: I have 2.2.1, and don't know what do I need to upgrade in
 order to have login.conf working. "login" perhaps, and then what else ?
 
 > Your problem is exactly what things like suidperl or sudo have been
 > made for.  This has the additional advantage that you don't need to
 > trust some user more than the other, but only need to trust some
 > application to not abuse the feature.
 
 Abstracting from the specific problem, one way or another, if the
 number of apps requiring root privs is large, you'll have a large
 configuration database, be it in the form of foo.conf files, or
 login.conf capabilities, or sudo configuration entries. Methods to
 simplify configurations apply to all the above variants (although
 I agree that my foo.conf idea is the worst of the 3 and let's assume
 I never proposed it :)
 
 Coming to rtprio, the problem is that it does an exec of the next
 program without dropping privileges, so once you have made it run
 with root privs you have lost any security. It really needs to be
 patched, one way or another, to run with root privs.
 
 	Cheers
 	Luigi
 -----------------------------+--------------------------------------
 Luigi Rizzo                  |  Dip. di Ingegneria dell'Informazione
 email: luigi@iet.unipi.it    |  Universita' di Pisa
 tel: +39-50-568533           |  via Diotisalvi 2, 56126 PISA (Italy)
 fax: +39-50-568522           |  http://www.iet.unipi.it/~luigi/
 _____________________________|______________________________________
Responsible-Changed-From-To: freebsd-bugs->dufault 
Responsible-Changed-By: dufault 
Responsible-Changed-When: Fri Aug 1 05:02:26 PDT 1997 
Responsible-Changed-Why:  
Take over rtprio/p1003.4 reports 
State-Changed-From-To: open->feedback 
State-Changed-By: ashp 
State-Changed-When: Sat Feb 16 13:44:20 PST 2002 
State-Changed-Why:  
Hiya, 

Noticed this hasn't been touched in five years.  Is this still 
a problem with recent copies of FreeBSD? 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=3837 
State-Changed-From-To: feedback->closed 
State-Changed-By: dougb 
State-Changed-When: Sun Mar 2 14:47:19 PST 2003 
State-Changed-Why:  

1. Feedback timeout (5.5 years!) 
2. Originator is now a committer, so he can revisit this topic if he 
chooses, but the idea seems to have died on the vine. 


Responsible-Changed-From-To: dufault->dougb 
Responsible-Changed-By: dougb 
Responsible-Changed-When: Sun Mar 2 14:47:19 PST 2003 
Responsible-Changed-Why:  

dufault merely asked for feedback, and he's no longer with us. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=3837 
>Unformatted:
