Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 21 Dec 2023 13:43:49 GMT
From:      Olivier Certner <olce@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 9fcf54d3750e - stable/13 - setusercontext(): Apply personal settings only on matching effective UID
Message-ID:  <202312211343.3BLDhnYl079678@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/13 has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=9fcf54d3750e379868e51e4aa7fbf696877ab2ed

commit 9fcf54d3750e379868e51e4aa7fbf696877ab2ed
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-05-30 16:35:08 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2023-12-21 13:39:03 +0000

    setusercontext(): Apply personal settings only on matching effective UID
    
    Commit 35305a8dc114 (r211393) added a check on whether 'uid' was equal
    to getuid() before calling setlogincontext().  Doing so still allows
    a setuid program to apply resource limits and priorities specified in
    a user-controlled configuration file ('~/.login_conf') where
    a non-setuid program could not.  Plug the hole by checking instead that
    the process' effective UID is the target one (which is likely what was
    meant in the initial commit).
    
    PR:                     271750
    Reviewed by:            kib, des
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40351
    
    (cherry picked from commit 892654fe9b5a9115815c30a423b8db47185aebbd)
    
    Approved by:    markj (mentor)
---
 lib/libutil/login_class.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/libutil/login_class.c b/lib/libutil/login_class.c
index 90a3ec5d106a..1036e9f9208c 100644
--- a/lib/libutil/login_class.c
+++ b/lib/libutil/login_class.c
@@ -546,7 +546,7 @@ setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned in
     /*
      * Now, we repeat some of the above for the user's private entries
      */
-    if (getuid() == uid && (lc = login_getuserclass(pwd)) != NULL) {
+    if (geteuid() == uid && (lc = login_getuserclass(pwd)) != NULL) {
 	mymask = setlogincontext(lc, pwd, mymask, flags);
 	login_close(lc);
     }

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202312211343.3BLDhnYl079678>