Path: utzoo!attcan!uunet!lll-winken!ncis.llnl.gov!ncis!helios.ee.lbl.gov!pasteur!ucbvax!OKEEFFE.BERKELEY.EDU!bostic
From: bostic@OKEEFFE.BERKELEY.EDU (Keith Bostic)
Newsgroups: comp.bugs.4bsd.ucb-fixes
Subject: V1.75 (chown security problem)
Message-ID: <8901172353.AA10589@okeeffe.Berkeley.EDU>
Date: 17 Jan 89 23:53:08 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: University of California at Berkeley
Lines: 52
Approved: ucb-fixes@okeeffe.berkeley.edu

Subject: chown security problem
Index: sys 4.3BSD-tahoe

Description:
	There's a security problem associated with 4.3BSD and 4.3BSD-tahoe
	systems involving the chown(2) system call.  It may exist in
	4.3BSD derived systems; contact your vendor for more information.
Fix:
	Apply the attached patch.


*** /tmp/d24713	Sun Jan  8 08:37:32 1989
--- ufs_syscalls.c	Fri Jan  6 15:19:04 1989
***************
*** 3,9 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)ufs_syscalls.c	7.3 (Berkeley) 4/18/87
   */
  
  #include "param.h"
--- 3,9 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)ufs_syscalls.c	7.4 (Berkeley) 1/6/89
   */
  
  #include "param.h"
***************
*** 624,629 ****
--- 624,631 ----
  	if (fp == NULL)
  		return;
  	ip = (struct inode *)fp->f_data;
+ 	if (u.u_uid != ip->i_uid && !suser())
+ 		return;
  	ILOCK(ip);
  	u.u_error = chown1(ip, uap->uid, uap->gid);
  	IUNLOCK(ip);
***************
*** 647,654 ****
  		uid = ip->i_uid;
  	if (gid == -1)
  		gid = ip->i_gid;
- 	if (uid != ip->i_uid && !suser())
- 		return (u.u_error);
  	if (gid != ip->i_gid && !groupmember((gid_t)gid) && !suser())
  		return (u.u_error);
  #ifdef QUOTA
--- 649,654 ----