[Bug 256233] security/doas: target user's login class gets ignored
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 29 May 2021 02:36:30 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256233 Bug ID: 256233 Summary: security/doas: target user's login class gets ignored Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: bugs.freebsd@scourger.nl CC: jsmith@resonatingmedia.com CC: jsmith@resonatingmedia.com Flags: maintainer-feedback?(jsmith@resonatingmedia.com) ## Environment The bug was found on FreeBSD 12.2-RELEASE GENERIC amd64 with doas-6.3p4 installed. But it will most likely manifest itself on all FreeBDS versions and architectures. The system has 2 regular user accounts named alice and bob. Both accounts belong to a non-default login class, and alice is allowed to use doas to execute commands as bob. ## Problem description When running a command with doas, the target user's login class is ignored. The capabilities from the default login class are applied instead of the ones defined in the target user's class. For example: $ doas -u bob ulimit -a Shows limits as defined for the default login class instead of those defined for bob's login class. $ doas -u bob locale Prints the locale from the default login class instead of the one defined in bob's actual login class. Expected behaviour: $ doas -u bob ulimit -a Show the limits that are defined in /etc/login.conf for bob's login class. A quick test seems to affirm that this is what happens on OpenBSD. $ doas -u bob locale Show the locale defined in /etc/login.conf for bob's login class. ## How to reproduce Add login classes 'alice' and 'bob' to login.conf. Each off the classes has a different language and memory limit: # diff -u login.conf.orig login.conf --- login.conf.orig 2021-05-29 01:45:22.537277000 +0200 +++ login.conf 2021-05-29 02:59:28.979606000 +0200 @@ -49,6 +49,16 @@ :ignoretime@:\ :umask=022: +alice:\ + :lang=en_CA.UTF-8:\ + :memoryuse=8G:\ + :tc=default: +bob:\ + :lang=en_US.UTF-8:\ + :memoryuse=4G:\ + :tc=default: Create users alice and bob, each belonging to their respective login class. A single line is added to doas.conf: permit nopass alice as bob Log in as user alice, and check that her memory limit and language are applied: alice@doas-bug:~ $ ulimit -m 8388608 alice@doas-bug:~ $ locale | grep LANG LANG=en_CA.UTF-8 Now run the same commands with doas, and observe that the limit and language are taken from the default login class: alice@doas-bug:~ $ doas -u bob ulimit -m unlimited alice@doas-bug:~ $ doas -u bob locale | grep LANG LANG= The expected result is that limits from class 'bob' are be applied (as happens on OpenBSD). Logging in as bob shows the expected limits: bob@doas-bug:~ $ ulimit -m 4194304 bob@doas-bug:~ $ locale | grep LANG LANG=en_US.UTF-8 -- You are receiving this mail because: You are the assignee for the bug.