From owner-freebsd-bugs@FreeBSD.ORG Mon Mar 27 01:40:11 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37B4616A420 for ; Mon, 27 Mar 2006 01:40:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B666F43D46 for ; Mon, 27 Mar 2006 01:40:10 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k2R1eAbu026742 for ; Mon, 27 Mar 2006 01:40:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k2R1eALd026741; Mon, 27 Mar 2006 01:40:10 GMT (envelope-from gnats) Date: Mon, 27 Mar 2006 01:40:10 GMT Message-Id: <200603270140.k2R1eALd026741@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Tom Rhodes Cc: Subject: Re: kern/79705: mac_seeotherusids not blocking root X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Tom Rhodes List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Mar 2006 01:40:11 -0000 The following reply was made to PR kern/79705; it has been noted by GNATS. From: Tom Rhodes To: bug-followup@FreeBSD.org, matt@poole.net Cc: Subject: Re: kern/79705: mac_seeotherusids not blocking root Date: Sun, 26 Mar 2006 20:35:12 -0500 Hi Matthew, The mac_seeotheruids(4) module changed as it was too difficult for the root user to properly maintain a multi-user environment as was. There was also a report about breaking ident. Could you try the following patch and toggle the suser_privileged sysctl? It should fix your problem. Thanks, -- Tom Rhodes =================================================================== RCS file: /usr/local/www/cvsroot/FreeBSD/src/sys/security/mac_seeotheruids/mac_seeotheruids.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -p -r1.7 -r1.8 --- src/sys/security/mac_seeotheruids/mac_seeotheruids.c 2005/01/03 12:08:18 1.7 +++ src/sys/security/mac_seeotheruids/mac_seeotheruids.c 2005/09/30 23:41:10 1.8 @@ -84,6 +84,14 @@ SYSCTL_INT(_security_mac_seeotheruids, O "with the same real primary group id"); /* + * Exception: allow the root user to be aware of other credentials by virtue + * of privilege. + */ +static int suser_privileged = 1; +SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, suser_privileged, + CTLFLAG_RW, &suser_privileged, 0, "Make an exception for superuser"); + +/* * Exception: allow processes with a specific gid to be exempt from the * policy. One sysctl enables this functionality; the other sets the * exempt gid. @@ -117,8 +125,10 @@ mac_seeotheruids_check(struct ucred *u1, if (u1->cr_ruid == u2->cr_ruid) return (0); - if (suser_cred(u1, 0) == 0) - return (0); + if (suser_privileged) { + if (suser_cred(u1, 0) == 0) + return (0); + } return (ESRCH); }