Close out a possible race where anybody in group operator could

chown an arbitrary file to operator. Reported by: Ian Dowse <iedowse@maths.tcd.ie> Sponsored by: DARPA & NAI Labs.
svn path=/head/; revision=111725
2024-09-06 17:18:32 +00:00 · 2003-03-02 08:07:57 +00:00 · 2003-03-02 08:07:57 +00:00 · 6d540f8137 · 2020-12-20 02:59:44 +00:00
parent 491081fabf
commit 6d540f8137
1 changed files with 11 additions and 2 deletions
--- a/sbin/mksnap_ffs/mksnap_ffs.c
+++ b/sbin/mksnap_ffs/mksnap_ffs.c
@ -41,6 +41,7 @@
 #include <ufs/ufs/ufsmount.h>
 #include <err.h>
 #include <errno.h>
+#include <fcntl.h>
 #include <grp.h>
 #include <stdio.h>
 #include <stdlib.h>
@ -62,6 +63,8 @@ main(int argc, char **argv)
 	const char *dir;
 	struct ufs_args args;
 	struct group *grp;
+	struct stat stbuf;
+	int fd;

 	if (argc != 3)
 		usage();
@ -73,9 +76,15 @@ main(int argc, char **argv)
 		errx(1, "Cannot retrieve operator gid");
 	if (mount("ffs", dir, MNT_UPDATE | MNT_SNAPSHOT, &args) < 0)
 		err(1, "Cannot create %s", args.fspec);
-	if (chown(args.fspec, -1, grp->gr_gid) != 0)
+	if ((fd = open(args.fspec, O_RDONLY)) < 0)
+		err(1, "Cannot open %s", args.fspec);
+	if (fstat(fd, &stbuf) != 0)
+		err(1, "Cannot stat %s", args.fspec);
+	if ((stbuf.st_flags & SF_SNAPSHOT) == 0)
+		errx(1, "File %s is not a snapshot", args.fspec);
+	if (fchown(fd, -1, grp->gr_gid) != 0)
 		err(1, "Cannot chown %s", args.fspec);
-	if (chmod(args.fspec, S_IRUSR | S_IRGRP) != 0)
+	if (fchmod(fd, S_IRUSR | S_IRGRP) != 0)
 		err(1, "Cannot chmod %s", args.fspec);

 	exit(EXIT_SUCCESS);