aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDag-Erling Smørgrav <des@FreeBSD.org>2002-07-11 16:56:05 +0000
committerDag-Erling Smørgrav <des@FreeBSD.org>2002-07-11 16:56:05 +0000
commitbf8ae2ab7c59d83df729943aeb3e675a35ff7d51 (patch)
tree3f59536e72f40f15d2e9a2a089eb6131a72438eb
parentb65d5f103dafa5c2237518f25b6790926c29f4ed (diff)
downloadsrc-bf8ae2ab7c59d83df729943aeb3e675a35ff7d51.tar.gz
src-bf8ae2ab7c59d83df729943aeb3e675a35ff7d51.zip
MFS: prevent tracing of previously privileged processes.
Notes
Notes: svn path=/releng/4.4/; revision=99779
-rw-r--r--UPDATING5
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/kern/kern_ktrace.c3
3 files changed, 7 insertions, 3 deletions
diff --git a/UPDATING b/UPDATING
index 43d3eefd9f5a..7ccc38761b5b 100644
--- a/UPDATING
+++ b/UPDATING
@@ -10,7 +10,7 @@ Release.
This is for the 4.4 release branch. All entries since 4.4 are an
itemized list of commits to this branch, numbered from the beginning.
-By this count, we're at 4.4-RELEASE-p14.
+By this count, we're at 4.4-RELEASE-p15.
The security advisories related to various patches contain information
on how to build/install a minimal set of binaries and start/stop a
@@ -18,6 +18,9 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20020711: p15 FreeBSD-SA-02:30.ktrace
+ Prevent users from tracing previously privileged processes.
+
20020626: p14
A fix for a buffer overflow in libc has been corrected.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 9f66f6ed8ddf..1637298d3972 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.4"
-BRANCH="RELEASE-p14"
+BRANCH="RELEASE-p15"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"
diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c
index b8c91ab08ac5..6788d913f07c 100644
--- a/sys/kern/kern_ktrace.c
+++ b/sys/kern/kern_ktrace.c
@@ -525,7 +525,8 @@ ktrcanset(callp, targetp)
target->p_ruid == target->p_svuid &&
caller->p_rgid == target->p_rgid && /* XXX */
target->p_rgid == target->p_svgid &&
- (targetp->p_traceflag & KTRFAC_ROOT) == 0) ||
+ (targetp->p_traceflag & KTRFAC_ROOT) == 0 &&
+ (targetp->p_flag & P_SUGID) == 0) ||
caller->pc_ucred->cr_uid == 0)
return (1);