Page MenuHomeFreeBSD
Differential D56592

mac_seeotheruids: allow specificgid to be a list of groups
ClosedPublic
Actions

Authored by kevans on Thu, Apr 23, 3:05 AM.
Tags
None
Referenced Files
F153978842: D56592.diff
Sat, Apr 25, 5:46 AM
Unknown Object (File)
Thu, Apr 23, 3:34 AM
Unknown Object (File)
Thu, Apr 23, 3:33 AM
Unknown Object (File)
Thu, Apr 23, 3:32 AM
Unknown Object (File)
Thu, Apr 23, 3:26 AM
Subscribers
imp
ziaee

Details

Reviewers
olce
csjp
Group Reviewers
Klara
Commits
rGb675ff8eedc9: mac_seeotheruids: allow specificgid to be a list of groups
Summary

The specificgid functionality has historically allowed only a single
group to be exempt, but in practice one might want a few services to
be exempt for reasons. From a security perspective, we probably don't
want to encourage unrelated users to be grouped together solely for
this purpose, as that creates one point of shared access that could be
used for nefarious purposes.

Normalize the group list as we do cr_groups to allow for linear matching
rather than quadratic, we just need to account for the differences in
FreeBSD 15.0+ where cr_groups is entirely supplementary groups vs.
earlier versions, where cr_groups[0] is the egid and the rest is
sorted.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kevans created this revision.Thu, Apr 23, 3:05 AM
Herald added subscribers: ziaee, imp. · View Herald TranscriptThu, Apr 23, 3:05 AM
kevans requested review of this revision.Thu, Apr 23, 3:05 AM
Harbormaster completed remote builds in B72458: Diff 176232.Thu, Apr 23, 3:05 AM
csjp requested changes to this revision.Thu, Apr 23, 4:08 AM
csjp added inline comments.
sys/security/mac_seeotheruids/mac_seeotheruids.c
158
sizeof(*newgids)

Instead? What you have works but it's wasteful. sizeof(newgids) is the size of a pointer (8 bytes on 64-bit), not the size of a gid_t (4 bytes)

176

Same here

sizeof(*newgids)
257

If suppgroups is sorted ascending do you want:

/* advance past values smaller than cgid */
while (s < nsupp && suppgroups[s] < cgid)
    s++;

here instead?

The while condition cgid < suppgroups[s] was meant to skip past entries in suppgroups that can't match. But it skips entries where suppgroups[s] is larger than cgid. For an ascending array that means it skips nothing useful... it would only fire if cgid were smaller than the current entry, at which point advancing s forward makes things worse, not better.

This revision now requires changes to proceed.Thu, Apr 23, 4:08 AM
kevans updated this revision to Diff 176248.Thu, Apr 23, 12:05 PM
kevans marked 3 inline comments as done.

Fix sizes and wrong condition

Harbormaster completed remote builds in B72467: Diff 176248.Thu, Apr 23, 12:05 PM
kevans added inline comments.Thu, Apr 23, 12:05 PM
sys/security/mac_seeotheruids/mac_seeotheruids.c
158

Yeah, unclear why I typo'd the allocations and not the SYSCTL_*() calls...

257

:facepalm:

csjp accepted this revision.Thu, Apr 23, 1:28 PM
This revision is now accepted and ready to land.Thu, Apr 23, 1:28 PM
Closed by commit rGb675ff8eedc9: mac_seeotheruids: allow specificgid to be a list of groups (authored by kevans). · Explain WhyThu, Apr 23, 9:13 PM
This revision was automatically updated to reflect the committed changes.
kevans added a commit: rGb675ff8eedc9: mac_seeotheruids: allow specificgid to be a list of groups.

Revision Contents
Changeset List

PathSize
share/
man/
man4/
4 lines
sys/
security/
mac_seeotheruids/
174 lines

Diff 176299

View Options

share/man/man4/mac_seeotheruids.4

Loading...
View Options

sys/security/mac_seeotheruids/mac_seeotheruids.c

Loading...