Page MenuHomeFreeBSD
Differential D40642

cr_canseeothergids(): Use real instead of effective group membership
ClosedPublic
Actions

Authored by olce on Jun 20 2023, 1:45 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, May 3, 2:09 PM
Unknown Object (File)
Thu, May 2, 7:14 AM
Unknown Object (File)
Thu, May 2, 3:19 AM
Unknown Object (File)
Tue, Apr 30, 12:24 AM
Unknown Object (File)
Tue, Apr 23, 3:34 AM
Unknown Object (File)
Fri, Apr 19, 5:06 AM
Unknown Object (File)
Dec 22 2023, 11:05 PM
Unknown Object (File)
Dec 10 2023, 10:36 PM
View All 21 Files
Subscribers
emaste
imp
jamie
mhorne

Details

Reviewers
mjg
kib
dchagin
mhorne
olce
Commits
rGf0951233c6d3: cr_canseeothergids(): Use real instead of effective group membership
rG26ff4836c888: cr_canseeothergids(): Use real instead of effective group membership
rGf482bc958437: cr_canseeothergids(): Use real instead of effective group membership
rG91658080f1a5: cr_canseeothergids(): Use real instead of effective group membership
Summary

Using the effective group and not the real one when testing membership has the
consequence that unprivileged processes cannot see setuid commands they launch
until these have relinquished their privileges. This is also in contradiction
with how the similar cr_canseeotheruids() works, i.e., by taking into account
real user IDs.

Fix this by substituting groupmember() with realgroupmember(). While here,
simplify the code.

PR: 272093

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

olce created this revision.Jun 20 2023, 1:45 PM
Herald added a subscriber: imp. · View Herald TranscriptJun 20 2023, 1:45 PM
olce requested review of this revision.Jun 20 2023, 1:45 PM
Harbormaster completed remote builds in B52177: Diff 123508.Jun 20 2023, 1:45 PM
olce added a parent revision: D40641: New realgroupmember().Jun 20 2023, 2:11 PM
olce added a child revision: D40643: realgroupmember(9): Link to groupmember(9), document the function.
olce added reviewers: mjg, kib, dchagin.Jun 20 2023, 9:03 PM
emaste added a subscriber: jamie.Jun 29 2023, 4:09 PM
emaste added a subscriber: emaste.
mhorne added a subscriber: mhorne.Jul 7 2023, 4:12 PM

The change requires some elaboration in the description. The text from the PR would be fine.

sys/kern/kern_prot.c
1410–1411

This is a style regression. Even though see_other_gids has an int type, it is a boolean variable and so we should check its truthiness directly.

olce updated this revision to Diff 124437.Jul 10 2023, 3:17 PM
olce edited the summary of this revision. (Show Details)

Fix style of the test on see_other_gids.

Harbormaster completed remote builds in B52540: Diff 124437.Jul 10 2023, 3:17 PM
olce marked an inline comment as done.Jul 10 2023, 3:17 PM
mhorne accepted this revision.Jul 11 2023, 4:58 PM
mhorne added inline comments.
sys/kern/kern_prot.c
1412–1422

My only clarification... u1->cr_groups[0] contains the effective gid, right? That is why you have split this statement from the loop?

This revision is now accepted and ready to land.Jul 11 2023, 4:58 PM
olce marked an inline comment as done.Jul 11 2023, 5:28 PM
olce added inline comments.
sys/kern/kern_prot.c
1412–1422

Exactly. That's also why next loop starts with index 1.

olce marked an inline comment as done.Jul 11 2023, 5:29 PM
olce updated this revision to Diff 124903.Jul 20 2023, 10:35 AM
olce retitled this revision from cr_seeothergids(): Use real instead of effective group membership to cr_canseeothergids(): Use real instead of effective group membership.
olce edited the summary of this revision. (Show Details)

'cr_see*' => 'cr_cansee*' (suppressed a rename in the stack).

This revision now requires review to proceed.Jul 20 2023, 10:35 AM
Harbormaster completed remote builds in B52740: Diff 124903.Jul 20 2023, 10:35 AM
olce accepted this revision.Jul 20 2023, 10:37 AM

Impacts of (suppressing) the rename, so re-validating.

This revision is now accepted and ready to land.Jul 20 2023, 10:37 AM
Closed by commit rG91658080f1a5: cr_canseeothergids(): Use real instead of effective group membership (authored by olce, committed by mhorne). · Explain WhySep 28 2023, 3:12 PM
This revision was automatically updated to reflect the committed changes.
mhorne added a commit: rG91658080f1a5: cr_canseeothergids(): Use real instead of effective group membership.
mhorne added a commit: rGf482bc958437: cr_canseeothergids(): Use real instead of effective group membership.Oct 17 2023, 7:44 PM
mhorne added a commit: rG26ff4836c888: cr_canseeothergids(): Use real instead of effective group membership.Oct 18 2023, 6:10 PM
olce added a commit: rGf0951233c6d3: cr_canseeothergids(): Use real instead of effective group membership.Dec 21 2023, 1:46 PM

Revision Contents
Changeset List

PathSize
sys/
kern/
23 lines

Diff 127925

View Options

sys/kern/kern_prot.c

Loading...