Tue Sep 16 14:37:51 1997 Thomas Bushnell, n/BSG <thomas@gnu.ai.mit.edu>

	* priv.h (nosuid, noexec): New variables.
	* init-init.c (nosuid, noexec): New variables, initialized to zero.
	* file-exec.c (diskfs_S_file_exec): If noexec is on, then prohibit
	all execution with EACCES.  If nosuid is on, then prohibit setuid
	or setgid execution by silently omitting the uid substitution.
	* opts-std-startup.c (parse_startup_opt): Implement --no-suid and
	--no-exec.
	* opts-common.c (diskfs_common_options): Add --no-suid and
	--no-exec.
	* opts-std-runtime.c (struct parse_hook): Add nosuid and noexec.
	(parse_opt) [cases 'S', 'E', OPT_SUID_OK, OPT_EXEC_OK] Understand
	--no-suid, --no-exec, --suid-ok, and --exec-ok.
	(parse_opt) [case ARGP_KEY_INIT]: Initialize H->nosuid and
	H->noexec.
	(OPT_SUID_OK, OPT_EXEC_OK): New macros.
	(std_runtime_options): Add --suid-ok and --exec-ok.
	(set_opts): Set nosuid and noexec from H->nosuid and H->noexec.

	* opts-common.c (diskfs_common_options): Rename --nosync to
	--no-sync; leave --nosync as an alias.

7 files changed, 61 insertions, 6 deletions

diff --git a/libdiskfs/ChangeLog b/libdiskfs/ChangeLog
index 1fbe0636..ce951baf 100644
--- a/libdiskfs/ChangeLog
+++ b/libdiskfs/ChangeLog
@@ -1,3 +1,26 @@
+Tue Sep 16 14:37:51 1997  Thomas Bushnell, n/BSG  <thomas@gnu.ai.mit.edu>
+
+	* priv.h (nosuid, noexec): New variables.
+	* init-init.c (nosuid, noexec): New variables, initialized to zero.
+	* file-exec.c (diskfs_S_file_exec): If noexec is on, then prohibit
+	all execution with EACCES.  If nosuid is on, then prohibit setuid
+	or setgid execution by silently omitting the uid substitution.
+	* opts-std-startup.c (parse_startup_opt): Implement --no-suid and
+	--no-exec. 
+	* opts-common.c (diskfs_common_options): Add --no-suid and
+	--no-exec. 
+	* opts-std-runtime.c (struct parse_hook): Add nosuid and noexec. 
+	(parse_opt) [cases 'S', 'E', OPT_SUID_OK, OPT_EXEC_OK] Understand
+	--no-suid, --no-exec, --suid-ok, and --exec-ok.  
+	(parse_opt) [case ARGP_KEY_INIT]: Initialize H->nosuid and
+	H->noexec. 
+	(OPT_SUID_OK, OPT_EXEC_OK): New macros.
+	(std_runtime_options): Add --suid-ok and --exec-ok.
+	(set_opts): Set nosuid and noexec from H->nosuid and H->noexec. 
+
+	* opts-common.c (diskfs_common_options): Rename --nosync to
+	--no-sync; leave --nosync as an alias.
+
 Wed Aug 20 14:03:41 1997  Thomas Bushnell, n/BSG  <thomas@gnu.ai.mit.edu>
 
 	* diskfs.h: Doc fix.
diff --git a/libdiskfs/file-exec.c b/libdiskfs/file-exec.c
index f332e700..1c6f6f70 100644
--- a/libdiskfs/file-exec.c
+++ b/libdiskfs/file-exec.c
@@ -71,6 +71,9 @@ diskfs_S_file_exec (struct protid *cred,
   gid = np->dn_stat.st_uid;
   mutex_unlock (&np->lock);
 
+  if (noexec)
+    return EACCES;
+
   if ((cred->po->openstat & O_EXEC) == 0)
     return EBADF;
   
@@ -83,7 +86,7 @@ diskfs_S_file_exec (struct protid *cred,
 
   suid = mode & S_ISUID;
   sgid = mode & S_ISGID;
-  if (suid || sgid)
+  if (!nosuid && (suid || sgid))
     {
       int secure = 0;
       error_t get_file_ids (struct idvec *uids, struct idvec *gids)
diff --git a/libdiskfs/init-init.c b/libdiskfs/init-init.c
index 14c6f84d..b575b625 100644
--- a/libdiskfs/init-init.c
+++ b/libdiskfs/init-init.c
@@ -1,5 +1,5 @@
 /*
-   Copyright (C) 1994, 1995, 1996 Free Software Foundation
+   Copyright (C) 1994, 1995, 1996, 1997 Free Software Foundation
 
 This file is part of the GNU Hurd.
 
@@ -30,6 +30,8 @@ mach_port_t diskfs_auth_server_port;
 volatile struct mapped_time_value *diskfs_mtime;
 mach_port_t diskfs_fsys_identity;
 
+int nosuid = 0, noexec = 0;
+
 spin_lock_t diskfs_node_refcnt_lock = SPIN_LOCK_INITIALIZER;
 
 spin_lock_t _diskfs_control_lock = SPIN_LOCK_INITIALIZER;
diff --git a/libdiskfs/opts-common.c b/libdiskfs/opts-common.c
index 5d94f7b4..41bf1a8b 100644
--- a/libdiskfs/opts-common.c
+++ b/libdiskfs/opts-common.c
@@ -1,6 +1,6 @@
 /* Options common to both startup and runtime
 
-   Copyright (C) 1995, 1996 Free Software Foundation, Inc.
+   Copyright (C) 1995, 1996, 1997 Free Software Foundation, Inc.
 
    Written by Miles Bader <miles@gnu.ai.mit.edu>
 
@@ -32,6 +32,9 @@ const struct argp_option diskfs_common_options[] =
      "If INTERVAL is supplied, sync all data not actually written to disk"
      " every INTERVAL seconds, otherwise operate in synchronous mode (the"
      " default is to sync every 30 seconds)"},
-  {"nosync",  'n',  0, 0, "Don't automatically sync data to disk"},
+  {"no-sync",  'n',  0, 0, "Don't automatically sync data to disk"},
+  {"nosync", 0, 0, OPTION_ALIAS | OPTION_HIDDEN},
+  {"no-suid", 'S', 0, 0, "Don't permit set-uid or set-gid execution"},
+  {"no-exec", 'E', 0, 0, "Don't permit any execution of files on this filesystem"},
   {0, 0}
 };
diff --git a/libdiskfs/opts-std-runtime.c b/libdiskfs/opts-std-runtime.c
index 41df2111..9892d1a2 100644
--- a/libdiskfs/opts-std-runtime.c
+++ b/libdiskfs/opts-std-runtime.c
@@ -22,17 +22,22 @@
 
 #include "priv.h"
 
+#define SUID_OK_OPT 600
+#define EXEC_OK_OPT 601
+
 static const struct argp_option
 std_runtime_options[] =
 {
   {"update", 'u',  0, 0, "Flush any meta-data cached in core"},
   {"remount", 0, 0, OPTION_HIDDEN | OPTION_ALIAS}, /* deprecated */
+  {"suid-ok", OPT_SUID_OK, 0, 0, "Enable set-uid execution"},
+  {"exec-ok", OPT_EXEC_OK, 0, 0, "Enable execution of files"},
   {0, 0}
 };
 
 struct parse_hook
 {
-  int readonly, sync, sync_interval, remount;
+  int readonly, sync, sync_interval, remount, nosuid, noexec;
 };
 
 /* Implement the options in H, and free H.  */
@@ -71,6 +76,11 @@ set_opts (struct parse_hook *h)
 	diskfs_set_sync_interval (h->sync_interval);
     }
 
+  if (h->nosuid != -1)
+    nosuid = h->nosuid;
+  if (h->noexec != -1)
+    noexec = h->noexec;
+
   free (h);
 
   return err;
@@ -86,6 +96,10 @@ parse_opt (int opt, char *arg, struct argp_state *state)
     case 'r': h->readonly = 1; break;
     case 'w': h->readonly = 0; break;
     case 'u': h->remount = 1; break;
+    case 'S': h->nosuid = 1; break;
+    case 'E': h->noexec = 1; break;
+    case OPT_SUID_OK: h->nosuid = 0; break;
+    case OPT_EXEC_OK: h->noexec = 0; break;
     case 'n': h->sync_interval = 0; h->sync = 0; break;
     case 's':
       if (arg)
@@ -97,6 +111,7 @@ parse_opt (int opt, char *arg, struct argp_state *state)
 	h->sync = 1;
       break;
 
+
     case ARGP_KEY_INIT:
       if (state->input)
 	state->hook = state->input; /* Share hook with parent.  */
@@ -109,6 +124,7 @@ parse_opt (int opt, char *arg, struct argp_state *state)
 	  h->sync = diskfs_synchronous;
 	  h->sync_interval = -1;
 	  h->remount = 0;
+	  h->nosuid = h->noexec = -1;
 
 	  /* We know that we have one child, with which we share our hook.  */
 	  state->child_inputs[0] = h;
diff --git a/libdiskfs/opts-std-startup.c b/libdiskfs/opts-std-startup.c
index 1488fdb5..1516b84e 100644
--- a/libdiskfs/opts-std-startup.c
+++ b/libdiskfs/opts-std-startup.c
@@ -1,6 +1,6 @@
 /* Standard startup-time command line parser
 
-   Copyright (C) 1995, 1996 Free Software Foundation, Inc.
+   Copyright (C) 1995, 1996, 1997 Free Software Foundation, Inc.
 
    Written by Miles Bader <miles@gnu.ai.mit.edu>
 
@@ -59,6 +59,10 @@ parse_startup_opt (int opt, char *arg, struct argp_state *state)
       diskfs_readonly = 1; break;
     case 'w':
       diskfs_readonly = 0; break;
+    case 'S':
+      nosuid = 1; break;
+    case 'E':
+      noexec = 1; break;
     case 's':
       if (arg == NULL)
 	diskfs_synchronous = 1;
@@ -70,6 +74,7 @@ parse_startup_opt (int opt, char *arg, struct argp_state *state)
       diskfs_default_sync_interval = 0;
       break;
 
+
       /* Boot options */
     case OPT_DEVICE_MASTER_PORT:
       _hurd_device_master = atoi (arg); break;
diff --git a/libdiskfs/priv.h b/libdiskfs/priv.h
index eab1ed43..bd6e5304 100644
--- a/libdiskfs/priv.h
+++ b/libdiskfs/priv.h
@@ -29,6 +29,9 @@
 
 extern mach_port_t fs_control_port;	/* receive right */
 
+/* These inhibit setuid or exec. */
+extern int nosuid, noexec;
+
 volatile struct mapped_time_value *_diskfs_mtime;
 
 extern struct argp_option diskfs_common_options[];