[Bug 271750] setusercontext(): Apply user '.login_conf' on process' effective uid being set

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271750

--- Comment #3 from commit-hook@FreeBSD.org ---
A commit in branch stable/13 references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=9fcf54d3750e379868e51e4aa7fbf696877ab2ed

commit 9fcf54d3750e379868e51e4aa7fbf696877ab2ed
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-05-30 16:35:08 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2023-12-21 13:39:03 +0000

    setusercontext(): Apply personal settings only on matching effective UID

    Commit 35305a8dc114 (r211393) added a check on whether 'uid' was equal
    to getuid() before calling setlogincontext().  Doing so still allows
    a setuid program to apply resource limits and priorities specified in
    a user-controlled configuration file ('~/.login_conf') where
    a non-setuid program could not.  Plug the hole by checking instead that
    the process' effective UID is the target one (which is likely what was
    meant in the initial commit).

    PR:                     271750
    Reviewed by:            kib, des
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40351

    (cherry picked from commit 892654fe9b5a9115815c30a423b8db47185aebbd)

    Approved by:    markj (mentor)

 lib/libutil/login_class.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
You are receiving this mail because:
You are the assignee for the bug.