From 30433f36a953187f27b5db9fb432f3b7dce91e6b Mon Sep 17 00:00:00 2001
From: Richard Basch <probe@mit.edu>
Date: Sat, 22 Jun 2002 05:32:45 +0000
Subject: [PATCH] Update_TargetVnodeStatus() checks and strips setuid bits for
 non admin clients; it should do the same thing for setgid files.

---
 src/viced/afsfileprocs.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/viced/afsfileprocs.c b/src/viced/afsfileprocs.c
index a65abc3..571ff04 100644
--- a/src/viced/afsfileprocs.c
+++ b/src/viced/afsfileprocs.c
@@ -149,6 +149,8 @@ pthread_mutex_t fileproc_glock_mutex;
 #define	NOTACTIVECALL	0
 #define	ACTIVECALL	1
 
+#define CREATE_SGUID_ADMIN_ONLY 1
+
 extern struct afsconf_dir *confDir;
 extern afs_int32 dataVersionHigh;
 
@@ -6071,7 +6073,12 @@ Update_TargetVnodeStatus(targetptr, Caller, client, InStatus, parentptr, volptr,
     if (Caller & TVS_SDATA) {
       targetptr->disk.dataVersion++;
       if (VanillaUser(client))
+	{
 	  targetptr->disk.modeBits &= ~04000; /* turn off suid for file. */
+#ifdef CREATE_SGUID_ADMIN_ONLY
+	  targetptr->disk.modeBits &= ~02000; /* turn off sgid for file. */
+#endif
+	}
     }
     if (Caller & TVS_SSTATUS) {	/* update time on non-status change */
 	/* store status, must explicitly request to change the date */
@@ -6084,7 +6091,12 @@ Update_TargetVnodeStatus(targetptr, Caller, client, InStatus, parentptr, volptr,
     if (InStatus->Mask & AFS_SETOWNER) {
 	/* admin is allowed to do chmod, chown as well as chown, chmod. */
 	if (VanillaUser(client))
+	  {
 	    targetptr->disk.modeBits &= ~04000; /* turn off suid for file. */
+#ifdef CREATE_SGUID_ADMIN_ONLY
+	    targetptr->disk.modeBits &= ~02000; /* turn off sgid for file. */
+#endif
+	  }
 	targetptr->disk.owner = InStatus->Owner;
 	if (VolumeRootVnode (targetptr)) {
 	    Error errorCode = 0;	/* what should be done with this? */
-- 
1.9.4