git: 7937bfbc0ca5 - main - mac_do(4): Enhance GID rule validation to check all groups in cr_groups
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 28 Oct 2024 18:58:29 UTC
The branch main has been updated by lwhsu:
URL: https://cgit.FreeBSD.org/src/commit/?id=7937bfbc0ca53fe7cdd0d54414f9296e273a518e
commit 7937bfbc0ca53fe7cdd0d54414f9296e273a518e
Author: Li-Wen Hsu <lwhsu@FreeBSD.org>
AuthorDate: 2024-10-28 18:58:12 +0000
Commit: Li-Wen Hsu <lwhsu@FreeBSD.org>
CommitDate: 2024-10-28 18:58:12 +0000
mac_do(4): Enhance GID rule validation to check all groups in cr_groups
Previously, the rule validation only checked the primary GID (cr_gid).
This caused issues when applying GID-based rules, as users with matching
secondary groups were not considered valid. This patch modifies both
functions to iterate through all groups in cr_groups to ensure all group
memberships are considered when validating GID-based rules.
For example, a user's primary group is staff (20) and they are also in
the wheel (0) group, this change allows the rule gid=0:any to enable
them to run commands as any user.
Reviewed by: delphij (earlier version), bapt
Differential Revision: https://reviews.freebsd.org/D47304
---
sys/security/mac_do/mac_do.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c
index 507e64ea0175..1aad37f549bc 100644
--- a/sys/security/mac_do/mac_do.c
+++ b/sys/security/mac_do/mac_do.c
@@ -411,7 +411,7 @@ rule_is_valid(struct ucred *cred, struct rule *r)
{
if (r->from_type == RULE_UID && r->f_uid == cred->cr_uid)
return (true);
- if (r->from_type == RULE_GID && r->f_gid == cred->cr_gid)
+ if (r->from_type == RULE_GID && groupmember(r->f_gid, cred))
return (true);
return (false);
}
@@ -516,7 +516,7 @@ check_setuid(struct ucred *cred, uid_t uid)
}
}
if (r->from_type == RULE_GID) {
- if (cred->cr_gid != r->f_gid)
+ if (!groupmember(r->f_gid, cred))
continue;
if (r->to_type == RULE_ANY) {
error = 0;