From vova@sw.ru  Wed Jan 16 04:29:13 2002
Return-Path: <vova@sw.ru>
Received: from vbook.express.ru (asplinux.ru [195.133.213.194])
	by hub.freebsd.org (Postfix) with ESMTP id 9272A37B404
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 16 Jan 2002 04:29:12 -0800 (PST)
Received: from vova by vbook.express.ru with local (Exim 3.31 #2)
	id 16QpBo-0000Mr-00; Wed, 16 Jan 2002 15:29:12 +0300
Message-Id: <E16QpBo-0000Mr-00@vbook.express.ru>
Date: Wed, 16 Jan 2002 15:29:12 +0300
From: Vladimir B.Grebenschikov <vova@sw.ru>
Sender: "Vladimir B. Grebenschikov" <vova@sw.ru>
Reply-To: Vladimir B.Grebenschikov <vova@sw.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: kmv@sw.ru
Subject: quotactl allows compromise gid-quotas
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         33940
>Category:       kern
>Synopsis:       [ufs] [patch] quotactl allows compromise gid-quotas
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 16 04:30:04 PST 2002
>Closed-Date:    Thu Feb 01 07:53:42 GMT 2007
>Last-Modified:  Thu Feb 01 07:53:42 GMT 2007
>Originator:     Vladimir B. Grebenschikov
>Release:        FreeBSD 4.4-RELEASE i386
>Organization:
SW soft
>Environment:
System: FreeBSD 4.4-RELEASE i386
	also tried with RELENG_4
>Description:
	ufs_quotactl(mp, cmds, uid, arg, p)
	accepts uid (actually id) from syscall quotactl(2)

	if id == -1 (function asumes that id = p->p_cred->p_ruid):

/* code */
       if (uid == -1)
               uid = p->p_cred->p_ruid;
/* code */

	but, type of quota may be not USRQUOTA there.
	so user with uid X can access groupquota of gid X

>How-To-Repeat:
	
>Fix:

diff against RELENG_4:

diff -u -u -r1.17.2.3 ufs_vfsops.c
--- sys/ufs/ufs/ufs_vfsops.c      2001/10/14 19:08:16     1.17.2.3
+++ sys/ufs/ufs/ufs_vfsops.c      2002/01/16 12:08:38
@@ -103,10 +103,22 @@
 #else
        int cmd, type, error;
 
-       if (uid == -1)
-               uid = p->p_cred->p_ruid;
+       type = cmds & SUBCMDMASK;
        cmd = cmds >> SUBCMDSHIFT;
 
+        if (uid == -1) {
+                switch (type) {
+                case USRQUOTA: 
+                        uid = p->p_cred->p_ruid;
+                        break;
+                case GRPQUOTA: 
+                        uid = p->p_cred->p_rgid;
+                        break;
+                default: 
+                        return (EINVAL);
+                }
+        }
+
        switch (cmd) {
        case Q_SYNC:
                break;
@@ -119,7 +131,6 @@
                        return (error);
        }
 
-       type = cmds & SUBCMDMASK;
        if ((u_int)type >= MAXQUOTAS)
                return (EINVAL);
        if (vfs_busy(mp, LK_NOWAIT, 0, p))
>Release-Note:
>Audit-Trail:

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/33940: commit references a PR
Date: Thu,  1 Feb 2007 02:14:14 +0000 (UTC)

 mpp         2007-02-01 02:13:53 UTC
 
   FreeBSD src repository
 
   Modified files:
     sys/ufs/ufs          ufs_vfsops.c 
   Log:
   Prevent quotactl calls that pass in an id of -1 from incorrectly
   using the callers UID instead of the GID when performing group
   operations.  This could allow users to determine group quota
   information for groups they are not a member of in some cases.
   
   Rename the "uid" parameter in ufs_quotactl to "id" to better show
   that it is used for more than just the uid, and to be more in line
   with the naming conventions in the other quota routines.
   
   PR:     kern/33940
   
   Revision  Changes    Path
   1.48      +20 -7     src/sys/ufs/ufs/ufs_vfsops.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: mpp 
State-Changed-When: Thu Feb 1 07:52:39 UTC 2007 
State-Changed-Why:  
This should be fixed in 6.2-stable and 7.0-current with 
the supplied patch, with some minor changes.  Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=33940 
>Unformatted:
