d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

o Tighten up rules for which processes can't debug which other processes

Browse Source 
in the p_candebug() function.  Synchronize with sef's CHECKIO()
  macro from the old procfs, which seems to be a good source of security
  checks.

Obtained from:	TrustedBSD Project
This commit is contained in:
rwatson 2000-10-30 20:30:03 +00:00
parent 4b00fdc3f6
commit 356ee2efc8
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sys/kern/kern_prot.c
View File

@ -1082,8 +1082,10 @@ p_candebug(const struct proc *p1, const struct proc *p2, int *privused)
/* not owned by you, has done setuid (unless you're root) */
/* add a CAP_SYS_PTRACE here? */
if ((p1->p_cred->p_ruid != p2->p_cred->p_ruid) ||
(p2->p_flag & P_SUGID)) {
if (p1->p_cred->pc_ucred->cr_uid != p2->p_cred->p_ruid ||
p1->p_cred->p_ruid != p2->p_cred->p_ruid ||
p1->p_cred->p_svuid == p2->p_cred->p_ruid ||
p2->p_flag & P_SUGID) {
if ((error = suser_xxx(0, p1, PRISON_ROOT)))
return (error);
if (privused != NULL)