diff options
author | Todd C. Miller <millert@cvs.openbsd.org> | 2003-03-09 01:34:01 +0000 |
---|---|---|
committer | Todd C. Miller <millert@cvs.openbsd.org> | 2003-03-09 01:34:01 +0000 |
commit | 11820976fc09e613dd88eebdd9a7e6a5b73471ab (patch) | |
tree | d61577ac6c10e2111c920e9de4535648d81c1171 /sys | |
parent | 5c66c78b07f34ed9acddc827ceb266aae6caeac4 (diff) |
Disallow ptrace if P_SUGIDEXEC flag is set (we already disallow if P_SUGID
is set). deraadt@ and tholo@ OK.
Diffstat (limited to 'sys')
-rw-r--r-- | sys/kern/sys_process.c | 13 | ||||
-rw-r--r-- | sys/miscfs/procfs/procfs_mem.c | 3 |
2 files changed, 9 insertions, 7 deletions
diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c index e0a36f1925f..0b0549b9812 100644 --- a/sys/kern/sys_process.c +++ b/sys/kern/sys_process.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sys_process.c,v 1.23 2002/06/27 02:04:50 deraadt Exp $ */ +/* $OpenBSD: sys_process.c,v 1.24 2003/03/09 01:33:59 millert Exp $ */ /* $NetBSD: sys_process.c,v 1.55 1996/05/15 06:17:47 tls Exp $ */ /*- @@ -137,13 +137,14 @@ sys_ptrace(p, v, retval) * gave us setuid/setgid privs (unless * you're root), or... * - * [Note: once P_SUGID gets set in execve(), it stays - * set until the process does another execve(). Hence - * this prevents a setuid process which revokes it's - * special privilidges using setuid() from being - * traced. This is good security.] + * [Note: once P_SUGID or P_SUGIDEXEC gets set in + * execve(), they stay set until the process does + * another execve(). Hence this prevents a setuid + * process which revokes it's special privileges using + * setuid() from being traced. This is good security.] */ if ((t->p_cred->p_ruid != p->p_cred->p_ruid || + ISSET(t->p_flag, P_SUGIDEXEC) || ISSET(t->p_flag, P_SUGID)) && (error = suser(p->p_ucred, &p->p_acflag)) != 0) return (error); diff --git a/sys/miscfs/procfs/procfs_mem.c b/sys/miscfs/procfs/procfs_mem.c index a06866f537a..ba3f320945e 100644 --- a/sys/miscfs/procfs/procfs_mem.c +++ b/sys/miscfs/procfs/procfs_mem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: procfs_mem.c,v 1.17 2002/01/30 20:45:35 nordin Exp $ */ +/* $OpenBSD: procfs_mem.c,v 1.18 2003/03/09 01:34:00 millert Exp $ */ /* $NetBSD: procfs_mem.c,v 1.8 1996/02/09 22:40:50 christos Exp $ */ /* @@ -112,6 +112,7 @@ procfs_checkioperm(p, t) int error; if ((t->p_cred->p_ruid != p->p_cred->p_ruid || + ISSET(t->p_flag, P_SUGIDEXEC) || ISSET(t->p_flag, P_SUGID)) && (error = suser(p->p_ucred, &p->p_acflag)) != 0) return (error); |