Page MenuHomeFreeBSD

cr_canseeothergids(): Use real instead of effective group membership
ClosedPublic

Authored by olce on Jun 20 2023, 1:45 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Oct 22, 5:08 PM
Unknown Object (File)
Tue, Oct 21, 8:57 AM
Unknown Object (File)
Sun, Oct 19, 7:20 AM
Unknown Object (File)
Fri, Oct 17, 1:28 AM
Unknown Object (File)
Wed, Oct 15, 7:05 AM
Unknown Object (File)
Tue, Oct 14, 1:15 AM
Unknown Object (File)
Sat, Oct 11, 2:01 AM
Unknown Object (File)
Sat, Oct 11, 2:01 AM

Details

Summary

Using the effective group and not the real one when testing membership has the
consequence that unprivileged processes cannot see setuid commands they launch
until these have relinquished their privileges. This is also in contradiction
with how the similar cr_canseeotheruids() works, i.e., by taking into account
real user IDs.

Fix this by substituting groupmember() with realgroupmember(). While here,
simplify the code.

PR: 272093

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 52540
Build 49431: arc lint + arc unit

Event Timeline

olce requested review of this revision.Jun 20 2023, 1:45 PM

The change requires some elaboration in the description. The text from the PR would be fine.

sys/kern/kern_prot.c
1414–1415

This is a style regression. Even though see_other_gids has an int type, it is a boolean variable and so we should check its truthiness directly.

olce edited the summary of this revision. (Show Details)

Fix style of the test on see_other_gids.

olce marked an inline comment as done.Jul 10 2023, 3:17 PM
mhorne added inline comments.
sys/kern/kern_prot.c
1416–1417

My only clarification... u1->cr_groups[0] contains the effective gid, right? That is why you have split this statement from the loop?

This revision is now accepted and ready to land.Jul 11 2023, 4:58 PM
olce marked an inline comment as done.Jul 11 2023, 5:28 PM
olce added inline comments.
sys/kern/kern_prot.c
1416–1417

Exactly. That's also why next loop starts with index 1.

olce marked an inline comment as done.Jul 11 2023, 5:29 PM
olce retitled this revision from cr_seeothergids(): Use real instead of effective group membership to cr_canseeothergids(): Use real instead of effective group membership.
olce edited the summary of this revision. (Show Details)

'cr_see*' => 'cr_cansee*' (suppressed a rename in the stack).

This revision now requires review to proceed.Jul 20 2023, 10:35 AM

Impacts of (suppressing) the rename, so re-validating.

This revision is now accepted and ready to land.Jul 20 2023, 10:37 AM