From nobody Tue Oct 17 19:43:40 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S94Cx2Xkkz4xvPN; Tue, 17 Oct 2023 19:43:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S94Cx05fpz3LRm; Tue, 17 Oct 2023 19:43:41 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1697571821; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5WrAoCanubx5FX1+0FG43oFVI37xJoYBaWBHSCJIOdY=; b=SvJWtfFz8T+Pbue9+VZlA1CBTtiuqw9sm/BKHs9FWOcUAD6w4nXM+d+GAJFJisBfKaw59d qXinFMJnpcsSk1D0S2EyaUJsnGldAJgR8mgdosGyvCc6NHVeTqshU3yyf7UQP6pXlU5ei3 iWBu+OAnQOnl39oIkFiWik1rH0ogE9ntNkftvST7kQoHIZfC7eD98uFKJxAg1H8FDQ6hvu eUIcqGGC4dn/1+GKNYGfYYDy6Nn2pRt8sNWQQzQZJWtcD3k8sF0BE10wW0n8wDeoG3xdYd xr4D2pKYDYbgxC3nCLWo1pTI1Z+Jh0qtNrgNzM0A4CY0bjOxUwJdLCGAMif7rA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1697571821; a=rsa-sha256; cv=none; b=NKaXS2f4r1neS97cY0Ves6pxwJ6oyt8fXeeqMsw2uiRMcOO1z4ZfT9Uw0pQsZjtDzsbW/7 4g08L5xmrC/ETU3N8jmdyEbr+Y+WWADpcZpry+Jn0Th0aIWZiw+gbOnbVXsgTR9GndgI7T wwOBYK3T5AGUFEP8fMCFx+ZzuNLbFEgWsIhNxJpv6b8muMGM4D0Evs20IBuaVNDfyuQD/q hXpphVRALWCDh5dOq5zojiRqWCW5+sevnWxxayhc1jf983O5BOalif4zosFZ7qXUcopIAe f0VhhLL67saIEoKXTx1F/1xADeg49OEGaqo8b3n4C+MP+Wp49JmSXdo4yLYDYg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1697571821; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5WrAoCanubx5FX1+0FG43oFVI37xJoYBaWBHSCJIOdY=; b=I49uZpa8VhqgsymWd0hIo3PXEciXixTjYqNQ3MbuJeztMp5FUkWir6efaLcRsX7Ftx4iH9 UcSMhm5OSscJnGLy55LhXiTX1vZlAgOB4hXM65nT5ZSwZo0RNfn7GGF6nag59OkoO1Tbdf L+9QPriZcaACgNrmnSb4fUWNc4PgTWDtmsOW2NBiwGfb6ya0I36ZcQVdicUgL8kSV6ig9w Qdcx6qGxh+hkOqOphTkRrbCAwnjwzaUHgHMMvDBFa6WELWXMrovMRdRG/GOGv78+raHge2 xszfY/Xvq8NhNYRH0hOzrrosVV4f/QZnyWZhMmN8Bh3Le/8+9wyyYIlWh4cZuA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S94Cw6JX7zcSR; Tue, 17 Oct 2023 19:43:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39HJheng013509; Tue, 17 Oct 2023 19:43:40 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39HJhej2013506; Tue, 17 Oct 2023 19:43:40 GMT (envelope-from git) Date: Tue, 17 Oct 2023 19:43:40 GMT Message-Id: <202310171943.39HJhej2013506@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mitchell Horne Subject: git: f482bc958437 - stable/14 - cr_canseeothergids(): Use real instead of effective group membership List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mhorne X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: f482bc958437e90cf8eb3a9e45e92efeb0b2556e Auto-Submitted: auto-generated The branch stable/14 has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=f482bc958437e90cf8eb3a9e45e92efeb0b2556e commit f482bc958437e90cf8eb3a9e45e92efeb0b2556e Author: Olivier Certner AuthorDate: 2023-08-17 23:54:45 +0000 Commit: Mitchell Horne CommitDate: 2023-10-17 19:42:59 +0000 cr_canseeothergids(): Use real instead of effective group membership Using the effective group and not the real one when testing membership has the consequence that unprivileged processes cannot see setuid commands they launch until these have relinquished their privileges. This is also in contradiction with how the similar cr_canseeotheruids() works, i.e., by taking into account real user IDs. Fix this by substituting groupmember() with realgroupmember(). While here, simplify the code. PR: 272093 Reviewed by: mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40642 Differential Revision: https://reviews.freebsd.org/D40644 (cherry picked from commit 91658080f1a598ddda03943a783c9a941199f7d2) (cherry picked from commit 0452dd841336cea7cd979b13ef12b6ea5e992eff) --- share/man/man9/cr_bsd_visible.9 | 2 +- share/man/man9/cr_canseeothergids.9 | 8 ++++---- sys/kern/kern_prot.c | 23 ++++++++++------------- 3 files changed, 15 insertions(+), 18 deletions(-) diff --git a/share/man/man9/cr_bsd_visible.9 b/share/man/man9/cr_bsd_visible.9 index bd676e6f5705..f2d42f3835dc 100644 --- a/share/man/man9/cr_bsd_visible.9 +++ b/share/man/man9/cr_bsd_visible.9 @@ -97,7 +97,7 @@ and are not members of any common group .Po as determined by -.Xr groupmember 9 +.Xr realgroupmember 9 .Pc . .It Bq Er ESRCH Credentials diff --git a/share/man/man9/cr_canseeothergids.9 b/share/man/man9/cr_canseeothergids.9 index f0c1e5c4e726..109d41a8545d 100644 --- a/share/man/man9/cr_canseeothergids.9 +++ b/share/man/man9/cr_canseeothergids.9 @@ -48,9 +48,9 @@ This function checks if a subject associated to credentials is denied seeing a subject or object associated to credentials .Fa u2 by a policy that requires both credentials to have at least one group in common. -For this determination, the effective and supplementary group IDs are used, but -not the real group IDs, as per -.Xr groupmember 9 . +For this determination, the real and supplementary group IDs are used, but +not the effective group IDs, as per +.Xr realgroupmember 9 . .Pp This policy is active if and only if the .Xr sysctl 8 @@ -79,5 +79,5 @@ Otherwise, it returns .Er ESRCH . .Sh SEE ALSO .Xr cr_bsd_visible 9 , -.Xr groupmember 9 , +.Xr realgroupmember 9 , .Xr priv_check_cred 9 diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 23bd2009582b..43fc3100bfa7 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1404,21 +1404,18 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, int cr_canseeothergids(struct ucred *u1, struct ucred *u2) { - int i, match; - if (!see_other_gids) { - match = 0; - for (i = 0; i < u1->cr_ngroups; i++) { - if (groupmember(u1->cr_groups[i], u2)) - match = 1; - if (match) - break; - } - if (!match) { - if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) - return (ESRCH); - } + if (realgroupmember(u1->cr_rgid, u2)) + return (0); + + for (int i = 1; i < u1->cr_ngroups; i++) + if (realgroupmember(u1->cr_groups[i], u2)) + return (0); + + if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0) + return (ESRCH); } + return (0); }