From owner-freebsd-ports-bugs@freebsd.org Mon Aug 8 02:07:03 2016 Return-Path: Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 177FFBA7CD8 for ; Mon, 8 Aug 2016 02:07:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 06841133D for ; Mon, 8 Aug 2016 02:07:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u78272oV042160 for ; Mon, 8 Aug 2016 02:07:02 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 211622] security/doas: doas doesn't enforce correct uid and gid with -u switch Date: Mon, 08 Aug 2016 02:07:03 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: telnetuserid@sdf.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ports-bugs@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2016 02:07:03 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211622 --- Comment #3 from telnetuserid@sdf.org --- I've compiled doas from upstream. The correct uid and gid is enforced, but the issuer egid and groups identification is still exposed. Can you make "portable" doas behave more like sudo or OpenBSD doas? Doas utility doesn't need to expose caller's egid and groups with -u switch. Ju= st plain uid, gid, and groups for the user to switch. Doas compiled from upstream commit 8bec4dcaa6afb6f6b480a720edbc896bcb9ac69d # id uid=3D0(root) gid=3D0(wheel) groups=3D0(wheel),5(operator) # doas -u nobody id uid=3D65534(nobody) gid=3D65534(nobody) egid=3D0(wheel) groups=3D0(wheel),5= (operator) # sudo -u nobody id uid=3D65534(nobody) gid=3D65534(nobody) groups=3D65534(nobody) --=20 You are receiving this mail because: You are the assignee for the bug.=