Date: Sat, 9 Apr 2005 03:10:47 GMT From: Matthew Poole <matt@p00le.net> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/79705: mac_seeotheruids not blocking root Message-ID: <200504090310.j393Alfg027152@www.freebsd.org> Resent-Message-ID: <200504090320.j393KU20033531@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 79705 >Category: kern >Synopsis: mac_seeotheruids not blocking root >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Apr 09 03:20:30 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Matthew Poole >Release: 5.4-STABLE >Organization: >Environment: FreeBSD ghengis.flat205 5.4-STABLE FreeBSD 5.4-STABLE #1: Sat Apr 9 01:15:59 NZST 2005 root@ghengis.flat205:/usr/obj/usr/src/sys/KERNEL.SECURE i386 >Description: Have loaded mac_seeotheruids, and confirmed that security.mac.seeotheruids.specificgid_enabled=0 However, root can still see all user processes. Documentation indicates that root should not be able to see other users' processes if specificgid_enabled is set to 0. >How-To-Repeat: Build kernel with MAC kldload mac_seeotheruids Have users other than root logged in. sysctl security.mac.seeotheruids.specificgid_enabled=0 ps wwaux | grep -v ^root >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504090310.j393Alfg027152>