From bc0d90707f2c0bb90704e440b2daa9701f6669eb Mon Sep 17 00:00:00 2001
From: Jan-Simon Pendry <pendry@ucbvax.Berkeley.EDU>
Date: Mon, 21 Feb 1994 01:18:22 -0800
Subject: [PATCH] add privilege checks etc to support user mounts

SCCS-vsn: sys/miscfs/union/union_vfsops.c 8.5
---
 usr/src/sys/miscfs/union/union_vfsops.c | 27 +++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/usr/src/sys/miscfs/union/union_vfsops.c b/usr/src/sys/miscfs/union/union_vfsops.c
index 55fff0169b..ce1c4d44dd 100644
--- a/usr/src/sys/miscfs/union/union_vfsops.c
+++ b/usr/src/sys/miscfs/union/union_vfsops.c
@@ -8,7 +8,7 @@
  *
  * %sccs.include.redist.c%
  *
- *	@(#)union_vfsops.c	8.4 (Berkeley) %G%
+ *	@(#)union_vfsops.c	8.5 (Berkeley) %G%
  */
 
 /*
@@ -81,20 +81,19 @@ union_mount(mp, path, data, ndp, p)
 	 * mounted-on directory.  This allows the mount_union
 	 * command to be made setuid root so allowing anyone
 	 * to do union mounts onto any directory on which they
-	 * have write (also delete and rename) permission.
+	 * have write permission and which they also own.
 	 */
-	error = VOP_ACCESS(mp->mnt_vnodecovered, VWRITE, cred, p);
-	if (error)
-		goto bad;
 	error = VOP_GETATTR(mp->mnt_vnodecovered, &va, cred, p);
 	if (error)
 		goto bad;
-	if ((va.va_mode & VSVTX) &&
-	    (va.va_uid != 0) &&
-	    (va.va_uid != cred->cr_uid)) {
+	if ((va.va_uid != cred->cr_uid) && 
+	    (cred->cr_uid != 0)) {
 		error = EACCES;
 		goto bad;
 	}
+	error = VOP_ACCESS(mp->mnt_vnodecovered, VWRITE, cred, p);
+	if (error)
+		goto bad;
 
 	/*
 	 * Get argument
@@ -185,6 +184,13 @@ union_mount(mp, path, data, ndp, p)
 	 * will leave the unioned view as read-only.
 	 */
 	mp->mnt_flag |= (um->um_uppervp->v_mount->mnt_flag & MNT_RDONLY);
+
+	/*
+	 * This is a user mount.  Privilege check for unmount
+	 * will be done in union_unmount.
+	 */
+	mp->mnt_flag |= MNT_USER;
+
 	mp->mnt_data = (qaddr_t) um;
 	getnewfsid(mp, MOUNT_UNION);
 
@@ -261,6 +267,11 @@ union_unmount(mp, mntflags, p)
 	printf("union_unmount(mp = %x)\n", mp);
 #endif
 
+	/* only the mounter, or superuser can unmount */
+	if ((p->p_cred->p_ruid != um->um_cred->cr_uid) &&
+	    (error = suser(p->p_ucred, &p->p_acflag)))
+		return (error);
+
 	if (mntflags & MNT_FORCE) {
 		/* union can never be rootfs so don't check for it */
 		if (!doforce)
-- 
2.20.1