Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

priv_check() question

0 views
Skip to first unread message

exorcistkiller

unread,
Jul 4, 2011, 2:54:25 AM7/4/11
to
Hi! I am taking a FreeBSD course this summer and I'm doing a homework. A new
system call uidkill() is to be added. uidkill(uid_t uid, int signum) sends
signal specified by signum to all processes owned by uid, excluding the
calling process itself.

I'm almost done, however I get stuck with priv_check(). If the calling
process is trying to send signal to processes owned by others, permission
should be denied. My implementation simply uses an if (p->p_ucred->cr_uid ==
ksi.ksi_uid) to deny it, however priv_check() is required. My question is:
what privilege a process should have to send signal to processes owned by
others? PRIV_SIGNAL_DIFFCRED?

--
View this message in context: http://freebsd.1045724.n5.nabble.com/priv-check-question-tp4549149p4549149.html
Sent from the freebsd-hackers mailing list archive at Nabble.com.
_______________________________________________
freebsd...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hacke...@freebsd.org"

Robert Watson

unread,
Jul 5, 2011, 4:46:52 AM7/5/11
to

On Sun, 3 Jul 2011, exorcistkiller wrote:

> Hi! I am taking a FreeBSD course this summer and I'm doing a homework. A new
> system call uidkill() is to be added. uidkill(uid_t uid, int signum) sends
> signal specified by signum to all processes owned by uid, excluding the
> calling process itself.
>
> I'm almost done, however I get stuck with priv_check(). If the calling
> process is trying to send signal to processes owned by others, permission
> should be denied. My implementation simply uses an if (p->p_ucred->cr_uid ==
> ksi.ksi_uid) to deny it, however priv_check() is required. My question is:
> what privilege a process should have to send signal to processes owned by
> others? PRIV_SIGNAL_DIFFCRED?

The right way to think about "privileges" in FreeBSD is that they exempt
subjects (usually processes) from normal access control rules -- typically as
a result of a root uid. The access control rules for signalling are captured
by p_cansignal() and cr_cansignal(), depending on whether the "subject" is a
process or a cached credential. Processes have access to slightly greater
rights than raw credentials due to additional context -- for example,
information about parent-child relationships. These functions then invoke
further privilege checks if required, perhaps overriding the normal
requirement that uids match, etc. kill() implements a couple of broadcast
modes for signals -- you may want to look at the implementation there to see
how this is done.

Robert

0 new messages