[comp.sys.ibm.pc.rt] Patch for /sys/sys/ufs_syscalls.c

brunner@bullhead.uucp (07/25/89)

Subject: fix for chown security problem
Index: sys/ufs_syscalls.c IBM4.3-AOS

Description:
	There's a security problem associated with 4.3BSD and 4.3BSD-tahoe
	systems involving the chown(2) system call.  It exists in IBM's
	4.3BSD derived system.

	This patch is consistent with the patch to sccsid version 7.3 made
	by Berkeley.

Fix:
	Apply the attached patch to rcsid version 12.0 of ufs_syscalls.c.

*** ufs_syscalls.c	Mon Jul 10 15:05:08 1989
--- ufs_syscalls.c.orig	Mon Jul 10 15:03:52 1989
***************
*** 865,880 ****
  	if ((ip = owner(uap->fname, NOFOLLOW, rmt_simple_path, RT_chown, 
  						uap->uid, uap->gid)) == NULL)
  #else
! #ifdef UCBFIX
! /* This is UCBFIX 1.77, there are no other UCBFIX ifdef's in this file. */
! 	register struct nameidata *ndp = &u.u_nd;
! 
! 	ndp->ni_nameiop = LOOKUP | NOFOLLOW;
! 	ndp->ni_segflg = UIO_USERSPACE;
! 	ndp->ni_dirp = uap->fname;
! 	ip = namei(ndp);
! 	if (ip == NULL)
! #endif UCBFIX
  #endif
  		return;
  	u.u_error = chown1(ip, uap->uid, uap->gid);
--- 865,871 ----
  	if ((ip = owner(uap->fname, NOFOLLOW, rmt_simple_path, RT_chown, 
  						uap->uid, uap->gid)) == NULL)
  #else
! 	if ((ip = owner(uap->fname, NOFOLLOW)) == NULL)
  #endif
  		return;
  	u.u_error = chown1(ip, uap->uid, uap->gid);
***************
*** 940,955 ****
  		uid = ip->i_uid;
  	if (gid == -1)
  		gid = ip->i_gid;
! #ifdef UCBFIX
! /* This is UCBFIX 1.77, there are no other UCBFIX ifdef's in this file. */
! 	/*
! 	 * If we don't own the file, are trying to change the owner
! 	 * of the file, or are not a member of the target group,
! 	 * the caller must be superuser or the call fails.
! 	 */
! 	if ((u.u_uid != ip->i_uid || uid != ip->i_uid ||
! 	    !groupmember((gid_t)gid)) && !suser())
! #endif UCBFIX
  		return (u.u_error);
  #ifdef QUOTA
  	if (ip->i_uid == uid)		/* this just speeds things a little */
--- 931,939 ----
  		uid = ip->i_uid;
  	if (gid == -1)
  		gid = ip->i_gid;
! 	if (uid != ip->i_uid && !suser())
! 		return (u.u_error);
! 	if (gid != ip->i_gid && !groupmember((gid_t)gid) && !suser())
  		return (u.u_error);
  #ifdef QUOTA
  	if (ip->i_uid == uid)		/* this just speeds things a little */

Eric Brunner
uunet!ibmsupt!brunner