From owner-freebsd-bugs@FreeBSD.ORG Sat Apr 9 03:20:31 2005 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0437F16A4CE for ; Sat, 9 Apr 2005 03:20:31 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B401E43D45 for ; Sat, 9 Apr 2005 03:20:30 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j393KUL7033532 for ; Sat, 9 Apr 2005 03:20:30 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j393KU20033531; Sat, 9 Apr 2005 03:20:30 GMT (envelope-from gnats) Resent-Date: Sat, 9 Apr 2005 03:20:30 GMT Resent-Message-Id: <200504090320.j393KU20033531@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Matthew Poole Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34EA116A4CE for ; Sat, 9 Apr 2005 03:10:48 +0000 (GMT) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AFCA43D2F for ; Sat, 9 Apr 2005 03:10:48 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j393Al2K027210 for ; Sat, 9 Apr 2005 03:10:47 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id j393Alfg027152; Sat, 9 Apr 2005 03:10:47 GMT (envelope-from nobody) Message-Id: <200504090310.j393Alfg027152@www.freebsd.org> Date: Sat, 9 Apr 2005 03:10:47 GMT From: Matthew Poole To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Subject: kern/79705: mac_seeotheruids not blocking root X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Apr 2005 03:20:31 -0000 >Number: 79705 >Category: kern >Synopsis: mac_seeotheruids not blocking root >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Apr 09 03:20:30 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Matthew Poole >Release: 5.4-STABLE >Organization: >Environment: FreeBSD ghengis.flat205 5.4-STABLE FreeBSD 5.4-STABLE #1: Sat Apr 9 01:15:59 NZST 2005 root@ghengis.flat205:/usr/obj/usr/src/sys/KERNEL.SECURE i386 >Description: Have loaded mac_seeotheruids, and confirmed that security.mac.seeotheruids.specificgid_enabled=0 However, root can still see all user processes. Documentation indicates that root should not be able to see other users' processes if specificgid_enabled is set to 0. >How-To-Repeat: Build kernel with MAC kldload mac_seeotheruids Have users other than root logged in. sysctl security.mac.seeotheruids.specificgid_enabled=0 ps wwaux | grep -v ^root >Fix: >Release-Note: >Audit-Trail: >Unformatted: