Page MenuHomeFreeBSD

cr_canseeothergids(): Use real instead of effective group membership
ClosedPublic

Authored by olce on Jun 20 2023, 1:45 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Nov 27, 6:19 PM
Unknown Object (File)
Mon, Nov 25, 7:34 PM
Unknown Object (File)
Sun, Nov 24, 2:45 PM
Unknown Object (File)
Sat, Nov 23, 12:44 AM
Unknown Object (File)
Thu, Nov 21, 9:01 AM
Unknown Object (File)
Wed, Nov 20, 12:48 AM
Unknown Object (File)
Mon, Nov 18, 2:30 PM
Unknown Object (File)
Mon, Nov 18, 1:00 PM

Details

Summary

Using the effective group and not the real one when testing membership has the
consequence that unprivileged processes cannot see setuid commands they launch
until these have relinquished their privileges. This is also in contradiction
with how the similar cr_canseeotheruids() works, i.e., by taking into account
real user IDs.

Fix this by substituting groupmember() with realgroupmember(). While here,
simplify the code.

PR: 272093

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

olce requested review of this revision.Jun 20 2023, 1:45 PM

The change requires some elaboration in the description. The text from the PR would be fine.

sys/kern/kern_prot.c
1410–1411

This is a style regression. Even though see_other_gids has an int type, it is a boolean variable and so we should check its truthiness directly.

olce edited the summary of this revision. (Show Details)

Fix style of the test on see_other_gids.

olce marked an inline comment as done.Jul 10 2023, 3:17 PM
mhorne added inline comments.
sys/kern/kern_prot.c
1412–1422

My only clarification... u1->cr_groups[0] contains the effective gid, right? That is why you have split this statement from the loop?

This revision is now accepted and ready to land.Jul 11 2023, 4:58 PM
olce marked an inline comment as done.Jul 11 2023, 5:28 PM
olce added inline comments.
sys/kern/kern_prot.c
1412–1422

Exactly. That's also why next loop starts with index 1.

olce marked an inline comment as done.Jul 11 2023, 5:29 PM
olce retitled this revision from cr_seeothergids(): Use real instead of effective group membership to cr_canseeothergids(): Use real instead of effective group membership.
olce edited the summary of this revision. (Show Details)

'cr_see*' => 'cr_cansee*' (suppressed a rename in the stack).

This revision now requires review to proceed.Jul 20 2023, 10:35 AM

Impacts of (suppressing) the rename, so re-validating.

This revision is now accepted and ready to land.Jul 20 2023, 10:37 AM