[5619] in Athena Bugs
re-plugging the security hole in quota
daemon@ATHENA.MIT.EDU (jnrees@ATHENA.MIT.EDU)
Fri Jul 27 15:27:51 1990
From: jnrees@ATHENA.MIT.EDU
Date: Fri, 27 Jul 90 15:27:29 -0400
To: jik@ATHENA.MIT.EDU
Cc: testers@ATHENA.MIT.EDU, bugs@ATHENA.MIT.EDU, bug-quota@ATHENA.MIT.EDU
The following patch re-plugs the security hole in quota:
*** /tmp/,RCSt1029602 Fri Jul 27 15:17:41 1990
--- quota.c Fri Jul 27 15:16:23 1990
***************
*** 358,363 ****
--- 358,366 ----
extern char *index();
int oldrpc = 0;
+ /* Super-user limited to local filesystems */
+ if (!getuid()) return(0);
+
hostp = mntp->mnt_fsname;
cp = index(mntp->mnt_fsname, ':');
if (cp == 0) {
The following patch to quota.1 makes quota's behavior a little more
clear:
*** /tmp/,RCSt1029570 Fri Jul 27 15:11:25 1990
--- quota.1 Fri Jul 27 14:42:27 1990
***************
*** 18,29 ****
.IX display "disk usage and limits quota" "" "disk usage and limits \(em \fLquota\fP"
.IX "limits of disk space quota" "" "limits of disk space \(em \fLquota\fP"
.I Quota
! displays users' and groups' disk usage and limits on local and NFS mounted file
! systems. If a user or group is specified (by name or by id), \fIquota\fP will
! return what information it can obtain on disk usage and limits for the given
! user or group. The super-user may check quotas for any user and group on
! local filesystems. Normal users may only check their own user quotas and the
! quotas of any group they're a member of.
.LP
.I Quota
without options displays only warnings
--- 18,30 ----
.IX display "disk usage and limits quota" "" "disk usage and limits \(em \fLquota\fP"
.IX "limits of disk space quota" "" "limits of disk space \(em \fLquota\fP"
.I Quota
! displays users' and groups' disk usage and limits on local and NFS
! mounted file systems. If a user or group is specified (by name or by
! id), \fIquota\fP will return information on disk usage and limits for
! the given user or group. The super-user may only check quotas for
! users and groups on local (non-NFS) filesystems. Normal users may
! only check their own user quotas and the quotas of any group they're a
! member of.
.LP
.I Quota
without options displays only warnings
