From root@tfz.net  Thu Oct  5 08:16:34 2000
Return-Path: <root@tfz.net>
Received: from ender.tfz.net (ender.worldnet.net [195.3.3.22])
	by hub.freebsd.org (Postfix) with ESMTP id 37A1F37B503
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  5 Oct 2000 08:16:34 -0700 (PDT)
Received: by ender.tfz.net (Postfix, from userid 0)
	id 1B9CF13; Thu,  5 Oct 2000 17:16:29 +0200 (CEST)
Message-Id: <20001005151629.1B9CF13@ender.tfz.net>
Date: Thu,  5 Oct 2000 17:16:29 +0200 (CEST)
From: pb@hert.org
Sender: root@tfz.net
Reply-To: pb@hert.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: jail problem
X-Send-Pr-Version: 3.2

>Number:         21769
>Category:       kern
>Synopsis:       jail problem
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    rwatson
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 05 08:20:01 PDT 2000
>Closed-Date:    Mon Nov 26 11:11:15 PST 2001
>Last-Modified:  Tue Nov 27 18:33:20 PST 2001
>Originator:     Pascal Bouchareine
>Release:        FreeBSD 5.x current, 4.0, 4.1
>Organization:
HERT
>Environment:

	FreeBSD and jail() support - any release i could test this on.
	Jail and mount settings are by default.

>Description:

	A jailed superuser is able to unmount a directory, provided the
        fact that this directory is under his jail root directory.

	The problem lies in the way uid is checked. Where user.creds are
        compared to object.creds, if uid == 0, the suser()-in-jail-like 
        behaviour is not true anymore. This may be true for other protection 
        checks (ipc, nicing of processes, what else.. ?)

>How-To-Repeat:

	I'm so sorry i don't have an example right there. Just email
        me back for the C source I tested this with.

>Fix:
	
--- vfs_syscalls.c      Thu Oct  5 17:06:22 2000
+++ vfs_syscalls.c.new  Thu Oct  5 17:06:22 2000
@@ -423,7 +423,8 @@
         * Only root, or the user that did the original mount is
         * permitted to unmount this filesystem.
         */
-       if ((mp->mnt_stat.f_owner != p->p_ucred->cr_uid) &&
+       if ((p->p_ucred->cr_uid && 
+           (mp->mnt_stat.f_owner != p->p_ucred->cr_uid)) &&
            (error = suser(p))) {
                vput(vp);
                return (error);

	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->rwatson 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Thu Oct 5 08:36:58 PDT 2000 
Responsible-Changed-Why:  
I'm chasing these bugs. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=21769 
State-Changed-From-To: open->closed 
State-Changed-By: rwatson 
State-Changed-When: Mon Nov 26 11:11:15 PST 2001 
State-Changed-Why:  
Committed to -CURRENT as part of vfs_syscalls.c:1.207 


http://www.FreeBSD.org/cgi/query-pr.cgi?pr=21769 
>Unformatted:
