diff options
author | Olivier Certner <olce.freebsd@certner.fr> | 2023-08-17 23:54:45 +0000 |
---|---|---|
committer | Mitchell Horne <mhorne@FreeBSD.org> | 2023-09-28 15:05:46 +0000 |
commit | 91658080f1a598ddda03943a783c9a941199f7d2 (patch) | |
tree | ed8074a9167f3474de43a4c371d615d4eacf0619 | |
parent | 2a2bfa6ad92e9c82dcc55733ad2fd58fd2ea7559 (diff) | |
download | src-91658080f1a598ddda03943a783c9a941199f7d2.tar.gz src-91658080f1a598ddda03943a783c9a941199f7d2.zip |
cr_canseeothergids(): Use real instead of effective group membership
Using the effective group and not the real one when testing membership
has the consequence that unprivileged processes cannot see setuid
commands they launch until these have relinquished their privileges.
This is also in contradiction with how the similar cr_canseeotheruids()
works, i.e., by taking into account real user IDs.
Fix this by substituting groupmember() with realgroupmember(). While
here, simplify the code.
PR: 272093
Reviewed by: mhorne
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40642
-rw-r--r-- | sys/kern/kern_prot.c | 23 |
1 files changed, 10 insertions, 13 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index b62a5e9ee20b..0f15771fb00d 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1408,21 +1408,18 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, static int cr_canseeothergids(struct ucred *u1, struct ucred *u2) { - int i, match; - if (!see_other_gids) { - match = 0; - for (i = 0; i < u1->cr_ngroups; i++) { - if (groupmember(u1->cr_groups[i], u2)) - match = 1; - if (match) - break; - } - if (!match) { - if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) - return (ESRCH); - } + if (realgroupmember(u1->cr_rgid, u2)) + return (0); + + for (int i = 1; i < u1->cr_ngroups; i++) + if (realgroupmember(u1->cr_groups[i], u2)) + return (0); + + if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) + return (ESRCH); } + return (0); } |