From nobody Wed Oct 18 18:03:57 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S9dyP5w4Gz4xL3T; Wed, 18 Oct 2023 18:03:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S9dyP3Pr0z4Y1n; Wed, 18 Oct 2023 18:03:57 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1697652237; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Yv7kSF23FuxMUuHqsWea3AD1a634NxiqpxtSBL64gzg=; b=E6ixf48i7hwr4SxjV6y+UzLEu+Bga9hSsW7FM87V0hReDZlq+xu+iRNDsI7Gnd/6YW8Ujf CQ12DME5k2MJL7FlMDXo68YyISRZFU/4iImzIbqMhagLnqm2K5uWXj+7V1cjNM2xP8WSC+ YKf7iT5sxJ3OFdG65t2WAt6/+0lMhtLpjwYTuaUcx1wbbrAMgEl7sriWJBJOOUGdbIq3f9 jmrU1Ibw7nCFIzqVHhWgu87Zz+ttYjsD/Vmt6QW1M1YCfOHXP5r3Uzld1Sgu/mNSL/Bj/T fFP4EEk/zKxL+I5x5zxEhf7c+hyDa+4isgtXH49DJlJmaojnMteB1JcuRQNl4Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1697652237; a=rsa-sha256; cv=none; b=ciCrGkU+L/f/eTPivendQtrlzPNHB5jdA2je+iVcKduqSX9kgq40IwPLUlVoruzhExkNPg we4rU7TtNQAtxR13SS6UAdcA2bV2K9TSW5JnBGgr29Kj6nIB1YyZ6N6u8OGOtsPLWibTB9 6yTi/Q1v0Od4/CyYQiJtbWVIgHA2bGRUpEBivhZlC+XPTbXKwRKytNgGtMvyZgm5WNSPfl AR1JtF2fApFSVtzwmJE0avEOdevO4z2yePIlk39WNJfHIOBVfFB0fC4sUOcyF8HdTCxfWC kD6ZVlced45prVNAoS/Ugq5I556d9hJGkQ3fcwkM392VG5KK/Mgwi6XRxv0Knw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1697652237; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Yv7kSF23FuxMUuHqsWea3AD1a634NxiqpxtSBL64gzg=; b=YeCea29tTcwKnOcYqT7l3YpZlGJOHbZklz31haQBMkZgLruuVgDosDoAXGLcF7Wlll0sq7 Qh9ZNLkoAPpqgz78w1gosIL4630VUw51GzkDkcRT47BL5Y4kq3Svo2z8eI7CEFr0LTjb2N 6MJM9dxwRjRbc26sO3YbMELLHpD8ZVQu/0SNO9IXHvcHiJ/gsxyVk7vcCZrnfZeOvDSKII 4RLm6gmNTXRLoQRoiulZnCI14kQ/z3TBza9uL9zvGaf99ZA7tLCn4O2ZhMj0lEOID/8wA1 r7ysnoud2942m3L6v46co7qBRYjZpegxC8u0XD4CC8CcWOQNCxt6vtc+o92wgw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S9dyP2T1pz27J; Wed, 18 Oct 2023 18:03:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39II3vRS045012; Wed, 18 Oct 2023 18:03:57 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39II3vrm045009; Wed, 18 Oct 2023 18:03:57 GMT (envelope-from git) Date: Wed, 18 Oct 2023 18:03:57 GMT Message-Id: <202310181803.39II3vrm045009@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mitchell Horne Subject: git: 26ff4836c888 - releng/14.0 - cr_canseeothergids(): Use real instead of effective group membership List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mhorne X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.0 X-Git-Reftype: branch X-Git-Commit: 26ff4836c88812b9ee03c4cc127ba2b467173a0e Auto-Submitted: auto-generated The branch releng/14.0 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=26ff4836c88812b9ee03c4cc127ba2b467173a0e commit 26ff4836c88812b9ee03c4cc127ba2b467173a0e Author: Olivier Certner AuthorDate: 2023-08-17 23:54:45 +0000 Commit: Mitchell Horne CommitDate: 2023-10-18 18:01:49 +0000 cr_canseeothergids(): Use real instead of effective group membership Using the effective group and not the real one when testing membership has the consequence that unprivileged processes cannot see setuid commands they launch until these have relinquished their privileges. This is also in contradiction with how the similar cr_canseeotheruids() works, i.e., by taking into account real user IDs. Fix this by substituting groupmember() with realgroupmember(). While here, simplify the code. Approved by: re (gjb) PR: 272093 Reviewed by: mhorne Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40642 Differential Revision: https://reviews.freebsd.org/D40644 (cherry picked from commit 91658080f1a598ddda03943a783c9a941199f7d2) (cherry picked from commit 0452dd841336cea7cd979b13ef12b6ea5e992eff) (cherry picked from commit 4e7cea61051abc476c64e4a996397235f5a881bc) --- share/man/man9/cr_bsd_visible.9 | 2 +- share/man/man9/cr_canseeothergids.9 | 8 ++++---- sys/kern/kern_prot.c | 23 ++++++++++------------- 3 files changed, 15 insertions(+), 18 deletions(-) diff --git a/share/man/man9/cr_bsd_visible.9 b/share/man/man9/cr_bsd_visible.9 index bd676e6f5705..f2d42f3835dc 100644 --- a/share/man/man9/cr_bsd_visible.9 +++ b/share/man/man9/cr_bsd_visible.9 @@ -97,7 +97,7 @@ and are not members of any common group .Po as determined by -.Xr groupmember 9 +.Xr realgroupmember 9 .Pc . .It Bq Er ESRCH Credentials diff --git a/share/man/man9/cr_canseeothergids.9 b/share/man/man9/cr_canseeothergids.9 index f0c1e5c4e726..109d41a8545d 100644 --- a/share/man/man9/cr_canseeothergids.9 +++ b/share/man/man9/cr_canseeothergids.9 @@ -48,9 +48,9 @@ This function checks if a subject associated to credentials is denied seeing a subject or object associated to credentials .Fa u2 by a policy that requires both credentials to have at least one group in common. -For this determination, the effective and supplementary group IDs are used, but -not the real group IDs, as per -.Xr groupmember 9 . +For this determination, the real and supplementary group IDs are used, but +not the effective group IDs, as per +.Xr realgroupmember 9 . .Pp This policy is active if and only if the .Xr sysctl 8 @@ -79,5 +79,5 @@ Otherwise, it returns .Er ESRCH . .Sh SEE ALSO .Xr cr_bsd_visible 9 , -.Xr groupmember 9 , +.Xr realgroupmember 9 , .Xr priv_check_cred 9 diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 23bd2009582b..43fc3100bfa7 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1404,21 +1404,18 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, int cr_canseeothergids(struct ucred *u1, struct ucred *u2) { - int i, match; - if (!see_other_gids) { - match = 0; - for (i = 0; i < u1->cr_ngroups; i++) { - if (groupmember(u1->cr_groups[i], u2)) - match = 1; - if (match) - break; - } - if (!match) { - if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) - return (ESRCH); - } + if (realgroupmember(u1->cr_rgid, u2)) + return (0); + + for (int i = 1; i < u1->cr_ngroups; i++) + if (realgroupmember(u1->cr_groups[i], u2)) + return (0); + + if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) + return (ESRCH); } + return (0); }