git: f482bc958437 - stable/14 - cr_canseeothergids(): Use real instead of effective group membership

From: Mitchell Horne <mhorne_at_FreeBSD.org>
Date: Tue, 17 Oct 2023 19:43:40 UTC
The branch stable/14 has been updated by mhorne:

URL: https://cgit.FreeBSD.org/src/commit/?id=f482bc958437e90cf8eb3a9e45e92efeb0b2556e

commit f482bc958437e90cf8eb3a9e45e92efeb0b2556e
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-08-17 23:54:45 +0000
Commit:     Mitchell Horne <mhorne@FreeBSD.org>
CommitDate: 2023-10-17 19:42:59 +0000

    cr_canseeothergids(): Use real instead of effective group membership
    
    Using the effective group and not the real one when testing membership
    has the consequence that unprivileged processes cannot see setuid
    commands they launch until these have relinquished their privileges.
    This is also in contradiction with how the similar cr_canseeotheruids()
    works, i.e., by taking into account real user IDs.
    
    Fix this by substituting groupmember() with realgroupmember().  While
    here, simplify the code.
    
    PR:                     272093
    Reviewed by:            mhorne
    MFC after:              2 weeks
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40642
    Differential Revision:  https://reviews.freebsd.org/D40644
    
    (cherry picked from commit 91658080f1a598ddda03943a783c9a941199f7d2)
    (cherry picked from commit 0452dd841336cea7cd979b13ef12b6ea5e992eff)
---
 share/man/man9/cr_bsd_visible.9     |  2 +-
 share/man/man9/cr_canseeothergids.9 |  8 ++++----
 sys/kern/kern_prot.c                | 23 ++++++++++-------------
 3 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/share/man/man9/cr_bsd_visible.9 b/share/man/man9/cr_bsd_visible.9
index bd676e6f5705..f2d42f3835dc 100644
--- a/share/man/man9/cr_bsd_visible.9
+++ b/share/man/man9/cr_bsd_visible.9
@@ -97,7 +97,7 @@ and
 are not members of any common group
 .Po
 as determined by
-.Xr groupmember 9
+.Xr realgroupmember 9
 .Pc .
 .It Bq Er ESRCH
 Credentials
diff --git a/share/man/man9/cr_canseeothergids.9 b/share/man/man9/cr_canseeothergids.9
index f0c1e5c4e726..109d41a8545d 100644
--- a/share/man/man9/cr_canseeothergids.9
+++ b/share/man/man9/cr_canseeothergids.9
@@ -48,9 +48,9 @@ This function checks if a subject associated to credentials
 is denied seeing a subject or object associated to credentials
 .Fa u2
 by a policy that requires both credentials to have at least one group in common.
-For this determination, the effective and supplementary group IDs are used, but
-not the real group IDs, as per
-.Xr groupmember 9 .
+For this determination, the real and supplementary group IDs are used, but
+not the effective group IDs, as per
+.Xr realgroupmember 9 .
 .Pp
 This policy is active if and only if the
 .Xr sysctl 8
@@ -79,5 +79,5 @@ Otherwise, it returns
 .Er ESRCH .
 .Sh SEE ALSO
 .Xr cr_bsd_visible 9 ,
-.Xr groupmember 9 ,
+.Xr realgroupmember 9 ,
 .Xr priv_check_cred 9
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 23bd2009582b..43fc3100bfa7 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1404,21 +1404,18 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
 int
 cr_canseeothergids(struct ucred *u1, struct ucred *u2)
 {
-	int i, match;
-
 	if (!see_other_gids) {
-		match = 0;
-		for (i = 0; i < u1->cr_ngroups; i++) {
-			if (groupmember(u1->cr_groups[i], u2))
-				match = 1;
-			if (match)
-				break;
-		}
-		if (!match) {
-			if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0)
-				return (ESRCH);
-		}
+		if (realgroupmember(u1->cr_rgid, u2))
+			return (0);
+
+		for (int i = 1; i < u1->cr_ngroups; i++)
+			if (realgroupmember(u1->cr_groups[i], u2))
+				return (0);
+
+		if (priv_check_cred(u1, PRIV_SEEOTHERGIDS) != 0)
+			return (ESRCH);
 	}
+
 	return (0);
 }