From 795bccbf697a805eaece48e1c554fc5fe1ab09fc Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Sun, 10 Jan 2021 10:12:15 +0100
Subject: [PATCH] Kernel: Don't allow non-root, non-owners to rmdir any child
 of sticky

We were not handling sticky parents properly in sys$rmdir(). Child
directories of a sticky parent should not be rmdir'able by just anyone.
Only the owner and root.

Fixes #4875.
---
 Kernel/FileSystem/VirtualFileSystem.cpp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/Kernel/FileSystem/VirtualFileSystem.cpp b/Kernel/FileSystem/VirtualFileSystem.cpp
index 29e69308f2..05910e0110 100644
--- a/Kernel/FileSystem/VirtualFileSystem.cpp
+++ b/Kernel/FileSystem/VirtualFileSystem.cpp
@@ -750,10 +750,16 @@ KResult VFS::rmdir(StringView path, Custody& base)
         return KResult(-EBUSY);
 
     auto& parent_inode = parent_custody->inode();
+    auto parent_metadata = parent_inode.metadata();
 
-    if (!parent_inode.metadata().may_write(*Process::current()))
+    if (!parent_metadata.may_write(*Process::current()))
         return KResult(-EACCES);
 
+    if (parent_metadata.is_sticky()) {
+        if (!Process::current()->is_superuser() && inode.metadata().uid != Process::current()->euid())
+            return KResult(-EACCES);
+    }
+
     KResultOr<size_t> dir_count_result = inode.directory_entry_count();
     if (dir_count_result.is_error())
         return dir_count_result.result();