VirtualBox

Ignore:
Timestamp:
Oct 27, 2011 5:54:33 PM (14 years ago)
Author:
vboxsync
svn:sync-xref-src-repo-rev:
74583
Message:

SUPR3HardenedVerify.cpp: tightened the Mac OS X and PC-BSD 9 hacks.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp

    r39091 r39133  
    11281128 *                              directory (only used for grand parent
    11291129 *                              directories).
    1130  * @param   pszPath             The path to the object. (For error messages
    1131  *                              only.)
     1130 * @param   pszPath             The path to the object. For error messages and
     1131 *                              securing a couple of hacks.
    11321132 * @param   pErrInfo            The error info structure.
    11331133 */
     
    11901190           full access. So, to work around we relax the hardening a bit and
    11911191           permit grand parents and beyond to be group writable by admin. */
    1192         bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 80 /*admin*/; /** @todo dynamically resolve the admin group? */
     1192        /** @todo dynamically resolve the admin group? */
     1193        bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 80 /*admin*/ || strcmp(pszPath, "/Applications");
    11931194
    11941195#elif defined(RT_OS_FREEBSD)
    1195         /* HACK ALERT: PC-BSD 9 has group-writable application directory,
    1196            similar to OS X and their /Applications directory (see above).
    1197            On FreeBSD root is normally the only member of this group. */
    1198         /** @todo Can we test for fRelaxed here like on the mac or is the 'operator'
    1199          *        group the owner of the immediate installation directory? More
    1200          *        details would be greatly appreciated as this HACK affects real FreeBSD
    1201          *        as well as the PC-BSD fork! */
    1202         bool fBad = pFsObjState->Stat.st_gid != 5 /*operator*/;
     1196        /* HACK ALERT: PC-BSD 9 has group-writable /usr/pib directory which is
     1197           similar to /Applications on OS X (see above).
     1198           On FreeBSD root is normally the only member of this group, on
     1199           PC-BSD the default user is a member. */
     1200        /** @todo dynamically resolve the operator group? */
     1201        bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 5 /*operator*/ || strcmp(pszPath, "/usr/pbi");
    12031202        NOREF(fRelaxed);
    12041203#else
Note: See TracChangeset for help on using the changeset viewer.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette