o Disable two "allow this" exceptions in p_cansched()m retricting the

ability of unprivileged processes to modify the scheduling properties of daemons temporarily taking on unprivileged effective credentials. These cases (p1->p_cred->p_ruid == p2->p_ucred->cr_uid) and (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid), respectively permitting a subject process to influence the scheduling of a daemon if the subject process has the same real uid or effective uid as the daemon's effective uid. This removes a number of the warning cases identified by the proc_to_proc iner-process authorization regression test. o As these are new restrictions, we'll have to watch out carefully for possible side effects on running code: they seem reasonable to me, but it's possible this change might have to be backed out if problems are experienced. Reported by: src/tools/regression/security/proc_to_proc/testuid Obtained from: TrustedBSD Project
2001-04-12 22:46:07 +00:00 · 2001-04-12 22:46:07 +00:00 · e3e8f50cbe
commit e3e8f50cbe
parent 6e82ee8e8b
1 changed files with 4 additions and 1 deletions
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@ -1137,14 +1137,17 @@ p_cansched(struct proc *p1, struct proc *p2, int *privused)
 		return (0);
 	if (p1->p_ucred->cr_uid == p2->p_cred->p_ruid)
 		return (0);
+#if 0
 	/*
 	 * XXX should a process be able to affect another process
-	 * acting as the same uid (i.e., a userland nfsd or the like?)
+	 * acting as the same uid (i.e., sendmail delivery, lpd,
+	 * et al?)
 	 */
 	if (p1->p_cred->p_ruid == p2->p_ucred->cr_uid)
 		return (0);
 	if (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid)
 		return (0);
+#endif /* 0 */

 	if (!suser_xxx(0, p1, PRISON_ROOT)) {
 		if (privused != NULL)