Add a SUSER_RUID flag to suser_cred. This flag indicates that we want to
check if the *real* user is the superuser (vs. the normal behaviour, which checks the effective user). Reviewed by: rwatson
This commit is contained in:
parent
0dd4779874
commit
8651a1567e
@ -1222,8 +1222,7 @@ TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
|
||||
|
||||
/*
|
||||
* Test whether the specified credentials imply "super-user" privilege.
|
||||
* Return 0 or EPERM. The flag argument is currently used only to
|
||||
* specify jail interaction.
|
||||
* Return 0 or EPERM.
|
||||
*/
|
||||
int
|
||||
suser_cred(struct ucred *cred, int flag)
|
||||
@ -1231,7 +1230,7 @@ suser_cred(struct ucred *cred, int flag)
|
||||
|
||||
if (!suser_enabled)
|
||||
return (EPERM);
|
||||
if (cred->cr_uid != 0)
|
||||
if (((flag & SUSER_RUID) ? cred->cr_ruid : cred->cr_uid) != 0)
|
||||
return (EPERM);
|
||||
if (jailed(cred) && !(flag & PRISON_ROOT))
|
||||
return (EPERM);
|
||||
|
@ -217,6 +217,7 @@ void cpu_stopprofclock(void);
|
||||
|
||||
/* flags for suser() and suser_cred() */
|
||||
#define PRISON_ROOT 1
|
||||
#define SUSER_RUID 2
|
||||
|
||||
int suser(struct thread *td);
|
||||
int suser_cred(struct ucred *cred, int flag);
|
||||
|
Loading…
x
Reference in New Issue
Block a user