From f5770bb46ad8e1bf7844eaf3e05f7372ba0cbe1d Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Mon, 18 Sep 2000 17:58:15 +0000 Subject: [PATCH] o Add a comment clarifying interaction between jail(), privileged processes, and UFS file flags. Here's what the comment says, for reference: Privileged processes in jail() are permitted to modify arbitrary user flags on files, but are not permitted to modify system flags. In other words, privilege does allow a process in jail to modify user flags for objects that the process does not own, but privilege will not permit the setting of system flags on the file. Obtained from: TrustedBSD Project --- sys/ufs/ufs/ufs_vnops.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sys/ufs/ufs/ufs_vnops.c b/sys/ufs/ufs/ufs_vnops.c index 1ac7dd0b5243..c214b4c673e4 100644 --- a/sys/ufs/ufs/ufs_vnops.c +++ b/sys/ufs/ufs/ufs_vnops.c @@ -408,6 +408,11 @@ ufs_setattr(ap) if (vap->va_flags != VNOVAL) { if (vp->v_mount->mnt_flag & MNT_RDONLY) return (EROFS); + /* + * Privileged processes in jail() are permitted to modify + * arbitrary user flags on files, but are not permitted + * to modify system flags. + */ if (cred->cr_uid != ip->i_uid && (error = suser_xxx(cred, p, PRISON_ROOT))) return (error);