[UFS] Broken suiddir? (+patch)

From: Rafal Skoczylas <nils_at_secprog.org> Date: Tue, 23 Mar 2004 23:30:20 +0100 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:48 UTC

Hello.
I've experienced some strange SUIDDIR (fs/mount option) behavior.
Please excuse me if this is known issue, but I've looked through
freebsd-bugs (and other sites in general - using google) and
haven't found anything related to this.

from mount(8):
[...]
suiddir
        A directory on the mounted file system will respond to
        the SUID bit being set, by setting the owner of any new
        files to be the same as the owner of the directory.  New
        directories will inherit the bit from their parents.
        Execute bits are removed from the file, and it will not
        be given to root.

        This feature is designed for use on fileservers serving
        PC users via ftp, SAMBA, or netatalk.  It provides secu-
        rity holes for shell users and as such should not be used
        on shell machines, especially on home directories.  
[...]

So I added SUIDDIR to my kernel (I use 5.2.1-RELEASE-p3) and
recompiled/rebooted. Mounted fs at /var/test with suiddir option and
chown/chmod'ed newly created directory (/var/test/test) to
test:users/4770. Now what I expected to happen is that every new
file/directory in this directory will be owned by test:users. But this
wasn't the case. Actually the gid got set, but not the uid.

The following patch seems to fix this, however I'd like someone more
experienced with FreeBSD kernel to look at it with a critical eye.

root_at_hawaje:/usr/src/sys/ufs/ufs% diff -u ufs_vnops.c.orig ufs_vnops.c
--- ufs_vnops.c.orig    Sat Oct 18 16:10:27 2003
+++ ufs_vnops.c Sun Mar 21 01:31:04 2004
_at__at_ -1411,7 +1411,7 _at__at_
                                 * our context so a stack variable is ok.
                                 */
                                ucred.cr_ref = 1;
-                               ucred.cr_uid = ip->i_uid;
+                               ucred.cr_uid = dp->i_uid;
                                ucred.cr_ngroups = 1;
                                ucred.cr_groups[0] = dp->i_gid;
                                ucp = &ucred;
root_at_hawaje:/usr/src/sys/ufs/ufs%

If you need any more information (eg. about my config, etc.) feel free to
ask.

Additionaly, would someone be so kind to describe the risk caused by using
SUIDDIR (mentioned in man) in more detail? Is there any "hidden" risk
except those obvious (like created files that look like if someone else
created them)? I tried searching google for such information but with
no luck so far.

PS Please CC to my e-mail, as I am not subscribed to the list and read it
occasionally through usenet gateway.

-- nils.