Gabriel Kihlman wrote:
> -#if 1
> - /* XXX Allow only root for now */
> - if ((error = suser(cp, 0)) != 0)
> + /* Only owner (unless the last exec gave it setuid/setgid
> + * privs) or root can get vmmap.
> + */
> + if ((findpr->ps_ucred->cr_uid != cp->p_ucred->cr_uid ||
> + ISSET(findpr->ps_flags, PS_SUGIDEXEC | PS_SUGID)) &&
> + (error = suser(cp, 0)) != 0) {
The addition of the setuid check is good. That's the kind of oversight I was
afraid of. :)
> + /* Must be a child (unless global_ptrace is set) */
> + if (global_ptrace == 0 && !inferior(findpr, cp->p_p) &&
> + (error = suser(cp, 0)) != 0) {
I don't think we need worry about children. The ptrace restriction is there
because ptrace is quite a bit more powerful. It doesn't just reveal
information about the process, it allows control as well.
Thanks for reminding me to revisit this. I think the following diff is
sufficient.
Index: kern_sysctl.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_sysctl.c,v
retrieving revision 1.305
diff -u -p -r1.305 kern_sysctl.c
--- kern_sysctl.c 27 May 2016 19:45:04 -0000 1.305
+++ kern_sysctl.c 28 Jun 2016 20:43:30 -0000
@@ -1980,16 +1980,11 @@ sysctl_proc_vmmap(int *name, u_int namel
if (findpr->ps_flags & (PS_SYSTEM | PS_EXITING))
return (EINVAL);
-#if 1
- /* XXX Allow only root for now */
- if ((error = suser(cp, 0)) != 0)
- return (error);
-#else
/* Only owner or root can get vmmap */
- if (findpr->ps_ucred->cr_uid != cp->p_ucred->cr_uid &&
+ if ((findpr->ps_ucred->cr_uid != cp->p_ucred->cr_uid ||
+ ISSET(findpr->ps_flags, PS_SUGIDEXEC | PS_SUGID)) &&
(error = suser(cp, 0)) != 0)
return (error);
-#endif
} else {
/* Only root can get kernel_map */
if ((error = suser(cp, 0)) != 0)
