From vasim@uddias.diaspro.com  Mon Nov  3 08:08:40 1997
Received: from uddias.diaspro.com (vasim@uddias.diaspro.com [194.84.211.1])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA10767
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 3 Nov 1997 08:08:18 -0800 (PST)
          (envelope-from vasim@uddias.diaspro.com)
Received: (from vasim@localhost)
	by uddias.diaspro.com (8.8.7/8.8.7) id VAA20558;
	Mon, 3 Nov 1997 21:07:53 +0500 (ES)
Message-Id: <199711031607.VAA20558@uddias.diaspro.com>
Date: Mon, 3 Nov 1997 21:07:53 +0500 (ES)
From: Vasim Valejev <vasim@uddias.diaspro.com>
Reply-To: vasim@uddias.diaspro.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: kernel does not check any quota and permissions after setuid() on opened files
X-Send-Pr-Version: 3.2

>Number:         4927
>Category:       kern
>Synopsis:       kernel does not check any quota and permissions after setuid() on opened files
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov  3 08:10:01 PST 1997
>Closed-Date:    Sat Jul 21 22:50:49 PDT 2001
>Last-Modified:  Sat Jul 21 22:51:19 PDT 2001
>Originator:     Vasim Valejev
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
DiasPro
>Environment:

	FreeBSD 3.0-CURRENT (FreeBSD 2.2-STABLE too)

>Description:

	If program running as root opens file and setuids to other user , it still can read/write to this file as root (without check quotas and file permissions) .

>How-To-Repeat:

	Create account 'testquot' and set quota for this account on /var partition to 20 blocks (hard and soft limits) . Then run next program from root's shell :

#include <sys/types.h>
#include <sys/uio.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <stdio.h>
#include <pwd.h>
#include <unistd.h>

#define BLOCK_QUOTA 50
#define TEST_ACCOUNT "testquot"
#define TEST_FILE "/var/tmp/test_for_quota"

main ()
{
	int fd;
	char *buffer;
	struct passwd *pw; 

	buffer = (char *) malloc(BLOCK_QUOTA * 512);
	memset(buffer, 245, BLOCK_QUOTA * 512);

	if ((pw = getpwnam(TEST_ACCOUNT)) == NULL)
	{
		fprintf(stderr, "Create account %s first !\n", TEST_ACCOUNT);
		exit(1);
	}
	
	if ((fd = open(TEST_FILE, O_CREAT | O_EXCL | O_WRONLY)) == -1)
	{
		perror("open");
		exit(1);
	}

	if (fchmod(fd, S_IRUSR | S_IWUSR) == -1)
	{
		perror("fchmod");
		exit(1);
	}

	if (setuid(pw->pw_uid) == -1)
	{
		fprintf(stderr, "Cant setuid to uid %d !\n", pw->pw_uid);
		exit(1);
	}

	write(fd, buffer, BLOCK_QUOTA * 512);
	close(fd);
	printf("try du -s %s\n", TEST_FILE);
}	

	File /var/tmp/test_for_quota will have size 50 blocks :( .

	It looks not good . Some program can work not right . For example - mail.local from sendmail 8.8.7 - it does setreuid() before write to user's mailbox (and after open()) but quotas for users mailboxes does not work !

>Fix:
	
	Don't know .
>Release-Note:
>Audit-Trail:

From: Omachonu Ogali <oogali@intranova.net>
To: freebsd-gnats-submit@freebsd.org
Cc: vasim@uddias.diaspro.com
Subject: Re: kern/4927: kernel does not check an quota and per
Date: Thu, 27 Apr 2000 03:06:58 -0400 (EDT)

 The example situation provided showed two things.  The file was not being
 changed to the ownership of the user and would exist under root, and two,
 the file did not exist and setting the O_CREAT flag in your open() call
 resulted in the file being created under the user currently executing the
 program which would be root.  Quotas are applied on a per user basis, not
 per directory (meaning a user can have 20mb of data in /tmp, but /tmp is
 not restricted to _only_ 20mb of data).
 
 -- 
 +-------------------------------------------------------------------------+
 | Omachonu Ogali                                     oogali@intranova.net |
 | Intranova Networking Group                 http://tribune.intranova.net |
 | PGP Key ID:                                                  0xBFE60839 |
 | PGP Fingerprint:       C8 51 14 FD 2A 87 53 D1  E3 AA 12 12 01 93 BD 34 |
 +-------------------------------------------------------------------------+
 
 
State-Changed-From-To: open->closed 
State-Changed-By: mike 
State-Changed-When: Sat Jul 21 22:50:49 PDT 2001 
State-Changed-Why:  

This is expected behaviour; see the Audit-Trail for details. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=4927 
>Unformatted:
