From jonny@jonny.eng.br  Sun Jul  5 00:51:22 1998
Received: from roma.coe.ufrj.br (jonny@roma.coe.ufrj.br [146.164.53.65])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA01900
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 5 Jul 1998 00:51:20 -0700 (PDT)
          (envelope-from jonny@jonny.eng.br)
Received: (from jonny@localhost)
	by roma.coe.ufrj.br (8.8.8/8.8.8) id EAA03831;
	Sun, 5 Jul 1998 04:51:20 -0300 (EST)
	(envelope-from jonny)
Message-Id: <199807050751.EAA03831@roma.coe.ufrj.br>
Date: Sun, 5 Jul 1998 04:51:20 -0300 (EST)
From: Joao Carlos Mendes Luis <jonny@jonny.eng.br>
Reply-To: jonny@jonny.eng.br
To: FreeBSD-gnats-submit@freebsd.org
Subject: accton on a append-only file
X-Send-Pr-Version: 3.2

>Number:         7169
>Category:       kern
>Synopsis:       cannot use accton on a append-only file
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    johan
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul  5 00:50:00 PDT 1998
>Closed-Date:    Wed Jul 24 11:34:39 PDT 2002
>Last-Modified:  Wed Jul 24 11:34:39 PDT 2002
>Originator:     Joao Carlos Mendes Luis
>Release:        FreeBSD 2.2.6-STABLE i386
>Organization:
COPPE/UFRJ
>Environment:

	FreeBSD-stable (but bug is probably present in -current also)

>Description:

	I want to raise the security of my system, making heavy use of
	securelevel and file flags.  All log files should be append-only,
	ie, flagged sappend.  This worked for most files, but not for
	accounting files (accton).  acct(2) is returning EPERM for an
	append-only file as argument.

>How-To-Repeat:

	$ chflags sappend /var/account/acct
	$ accton /var/account/acct

>Fix:
	
	I don't have enough knowledge to fix, but the bug seems to
	be in the kern_acct.c file.  I've sent a message about this
	to -hackers list, and received this answer.

...
Message-Id: <199807041545.RAA13938@semyam.dinoco.de>
cc: Joao Carlos Mendes Luis <jonny@jonny.eng.br>, seggers@semyam.dinoco.de
To: hackers@FreeBSD.ORG
Subject: Re: accton on a append-only file ? 
Date: Sat, 04 Jul 1998 17:45:36 +0200
From: Stefan Eggers <seggers@semyam.dinoco.de>

> I've created the /var/account/acct file with sappend,sunlink flags,
> but accton return EPERM.  If I run accton before setting those flags,

>   This seems to be a bug, but I still have much to learn from VFS

To me, too.  It is because kern_acct.c in 2.2-stable opens the file
for writing, not for appending.  There is the problem:

        /*
         * If accounting is to be started to a file, open that file for
         * writing and make sure it's a 'normal'.
         */
        if (uap->path != NULL) {
                NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, uap->path, p);
                error = vn_open(&nd, FWRITE, 0);
                if (error)
                        return (error);


Unless there is already a PR for this (check the PR database on the
FreeBSD web pages) I'd suggest sending in a new one.

> before searching for the culprit myself.  Does it deserve a send-pr,
> even without patches ?

I think it's as easy as adding FAPPEND to the mode.  The only problem
is making sure that it has no unexpected side effects.  If you like
quote this email in the PR to point at a possible way to fix it.

Stefan.
-- 
Stefan Eggers                 Lu4 yao2 zhi1 ma3 li4,
Max-Slevogt-Str. 1            ri4 jiu3 jian4 ren2 xin1.
51109 Koeln
Federal Republic of Germany

...

	Taking a quick look at ufs_vnops.c, it really seems that
	a FWRITE|O_APPEND in the vnopen() call will fix, but again
	I'm not aware of possible problems.  I've tested it at home,
	and it worked, but it would be much better if it was revised
	by a real FS hacker.

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->suspended 
State-Changed-By: phk 
State-Changed-When: Tue Jul 7 02:52:57 PDT 1998 
State-Changed-Why:  
awaiting fix & committer 
Responsible-Changed-From-To: freebsd-bugs->johan 
Responsible-Changed-By: johan 
Responsible-Changed-When: Sun Jun 30 12:31:04 PDT 2002 
Responsible-Changed-Why:  
I will have a look at this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=7169 
State-Changed-From-To: suspended->analyzed 
State-Changed-By: johan 
State-Changed-When: Fri Jul 5 12:00:15 PDT 2002 
State-Changed-Why:  
This is still a problem in stable and current. 
I'm currently working on fixing this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=7169 
State-Changed-From-To: analyzed->patched 
State-Changed-By: johan 
State-Changed-When: Wed Jul 10 10:34:05 PDT 2002 
State-Changed-Why:  
I have committed a fix to current and will 
MFC in two weeks, unless some problem shows up. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=7169 

From: Johan Karlsson <johan@FreeBSD.org>
To: jonny@jonny.eng.br
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/7169: cannot use accton on a append-only file
Date: Wed, 10 Jul 2002 20:00:35 +0200

 --Clx92ZfkiYIKRjnr
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 FYI
 
 the equivalent patch for 4-Stable is attached here.
 It should work on any 4.x version.
 
 /Johan K
 -- 
 Johan Karlsson		mailto:johan@FreeBSD.org
 
 --Clx92ZfkiYIKRjnr
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="acc.diff"
 
 Index: kern_acct.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/kern/kern_acct.c,v
 retrieving revision 1.23
 diff -u -r1.23 kern_acct.c
 --- kern_acct.c	15 Dec 1999 23:01:54 -0000	1.23
 +++ kern_acct.c	10 Jul 2002 17:51:46 -0000
 @@ -127,18 +127,18 @@
  
  	/*
  	 * If accounting is to be started to a file, open that file for
 -	 * writing and make sure it's a 'normal'.
 +	 * appending and make sure it's a 'normal'.
  	 */
  	if (SCARG(uap, path) != NULL) {
  		NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, SCARG(uap, path),
  		       p);
 -		error = vn_open(&nd, FWRITE, 0);
 +		error = vn_open(&nd, FWRITE | O_APPEND, 0);
  		if (error)
  			return (error);
  		NDFREE(&nd, NDF_ONLY_PNBUF);
  		VOP_UNLOCK(nd.ni_vp, 0, p);
  		if (nd.ni_vp->v_type != VREG) {
 -			vn_close(nd.ni_vp, FWRITE, p->p_ucred, p);
 +			vn_close(nd.ni_vp, FWRITE | O_APPEND, p->p_ucred, p);
  			return (EACCES);
  		}
  	}
 @@ -149,8 +149,8 @@
  	 */
  	if (acctp != NULLVP || savacctp != NULLVP) {
  		untimeout(acctwatch, NULL, acctwatch_handle);
 -		error = vn_close((acctp != NULLVP ? acctp : savacctp), FWRITE,
 -		    p->p_ucred, p);
 +		error = vn_close((acctp != NULLVP ? acctp : savacctp),
 +		    FWRITE | O_APPEND, p->p_ucred, p);
  		acctp = savacctp = NULLVP;
  	}
  	if (SCARG(uap, path) == NULL)
 @@ -304,7 +304,8 @@
  
  	if (savacctp != NULLVP) {
  		if (savacctp->v_type == VBAD) {
 -			(void) vn_close(savacctp, FWRITE, NOCRED, NULL);
 +			(void) vn_close(savacctp, FWRITE | O_APPEND, NOCRED,
 +			    NULL);
  			savacctp = NULLVP;
  			return;
  		}
 @@ -318,7 +319,7 @@
  		if (acctp == NULLVP)
  			return;
  		if (acctp->v_type == VBAD) {
 -			(void) vn_close(acctp, FWRITE, NOCRED, NULL);
 +			(void) vn_close(acctp, FWRITE | O_APPEND, NOCRED, NULL);
  			acctp = NULLVP;
  			return;
  		}
 
 --Clx92ZfkiYIKRjnr--
State-Changed-From-To: patched->closed 
State-Changed-By: johan 
State-Changed-When: Wed Jul 24 11:34:09 PDT 2002 
State-Changed-Why:  
Fix committed to -stable. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=7169 
>Unformatted:
