cr_canseeothergids(): Use real instead of effective group membership

Using the effective group and not the real one when testing membership
has the consequence that unprivileged processes cannot see setuid
commands they launch until these have relinquished their privileges.
This is also in contradiction with how the similar cr_canseeotheruids()
works, i.e., by taking into account real user IDs.

Fix this by substituting groupmember() with realgroupmember().  While
here, simplify the code.

PR:                     272093
Reviewed by:            mhorne
Sponsored by:           Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40642

(cherry picked from commit 91658080f1a598ddda03943a783c9a941199f7d2)

Approved by:    markj (mentor)

1 files changed, 10 insertions, 13 deletions

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index e6c11d2ea74b..1c9e2927bc5e 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1406,21 +1406,18 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
 int
 cr_canseeothergids(struct ucred *u1, struct ucred *u2)
 {
-	int i, match;
-
 	if (!see_other_gids) {
-		match = 0;
-		for (i = 0; i < u1->cr_ngroups; i++) {
-			if (groupmember(u1->cr_groups[i], u2))
-				match = 1;
-			if (match)
-				break;
-		}
-		if (!match) {
-			if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0)
-				return (ESRCH);
-		}
+		if (realgroupmember(u1->cr_rgid, u2))
+			return (0);
+
+		for (int i = 1; i < u1->cr_ngroups; i++)
+			if (realgroupmember(u1->cr_groups[i], u2))
+				return (0);
+
+		if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0)
+			return (ESRCH);
 	}
+
 	return (0);
 }