Date: Fri, 1 Oct 2004 19:35:44 GMT From: Björn König <bkoenig@cs.tu-berlin.de> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/72238: mac_seeotheruids restricts root Message-ID: <200410011935.i91JZiMF046866@www.freebsd.org> Resent-Message-ID: <200410011940.i91JeCWJ006975@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 72238
>Category: kern
>Synopsis: mac_seeotheruids restricts root
>Confidential: no
>Severity: non-critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Fri Oct 01 19:40:12 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Björn König
>Release: FreeBSD 5.2.1
>Organization:
>Environment:
affects all FreeBSD 5 versions up to CURRENT
>Description:
mac_seeotheruids hides processes and connections from root. This is unsuitable because its hard for root to maintain a multi-user server. Another problem for example is that an ident daemon can't work properly.
>How-To-Repeat:
Load the kernel module
"kldload mac_seeotheruids"
Execute as root
"sockstat"
"ps aux"
It shows only root's connections and processes.
>Fix:
Apply this patch
--- src/sys/security/mac_seeotheruids/mac_seeotheruids.c.orig Thu Mar 27 20:26:39 2003
+++ src/sys/security/mac_seeotheruids/mac_seeotheruids.c Fri Oct 1 21:32:13 2004
@@ -104,6 +104,9 @@
if (!mac_seeotheruids_enabled)
return (0);
+ if (u1->cr_ruid == 0)
+ return (0);
+
if (primarygroup_enabled) {
if (u1->cr_rgid == u2->cr_rgid)
return (0);
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410011935.i91JZiMF046866>