[Bug 256233] security/doas: target user's login class gets ignored

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 29 May 2021 02:36:30 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256233

            Bug ID: 256233
           Summary: security/doas: target user's login class gets ignored
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: bugs.freebsd@scourger.nl
                CC: jsmith@resonatingmedia.com
                CC: jsmith@resonatingmedia.com
             Flags: maintainer-feedback?(jsmith@resonatingmedia.com)

## Environment

The bug was found on FreeBSD 12.2-RELEASE GENERIC amd64 with doas-6.3p4
installed. But it will most likely manifest itself on all FreeBDS versions and
architectures.

The system has 2 regular user accounts named alice and bob. Both accounts
belong to a non-default login class, and alice is allowed to use doas to
execute commands as bob.


## Problem description

When running a command with doas, the target user's login class is ignored. The
capabilities from the default login class are applied instead of the ones
defined in the target user's class.

For example:
$ doas -u bob ulimit -a
Shows limits as defined for the default login class instead of those defined
for bob's login class.
$ doas -u bob locale
Prints the locale from the default login class instead of the one defined in
bob's actual login class.

Expected behaviour:
$ doas -u bob ulimit -a
Show the limits that are defined in /etc/login.conf for bob's login class.
A quick test seems to affirm that this is what happens on OpenBSD.
$ doas -u bob locale
Show the locale defined in /etc/login.conf for bob's login class.


## How to reproduce

Add login classes 'alice' and 'bob' to login.conf. Each off the classes has a
different language and memory limit:
# diff -u login.conf.orig login.conf
--- login.conf.orig     2021-05-29 01:45:22.537277000 +0200
+++ login.conf  2021-05-29 02:59:28.979606000 +0200
@@ -49,6 +49,16 @@
        :ignoretime@:\
        :umask=022:

+alice:\
+       :lang=en_CA.UTF-8:\
+       :memoryuse=8G:\
+       :tc=default:
+bob:\
+       :lang=en_US.UTF-8:\
+       :memoryuse=4G:\
+       :tc=default:

Create users alice and bob, each belonging to their respective login class.

A single line is added to doas.conf:
permit nopass alice as bob


Log in as user alice, and check that her memory limit and language are applied:
alice@doas-bug:~ $ ulimit -m
8388608
alice@doas-bug:~ $ locale | grep LANG
LANG=en_CA.UTF-8

Now run the same commands with doas, and observe that the limit and language
are taken from the default login class:
alice@doas-bug:~ $ doas -u bob ulimit -m
unlimited
alice@doas-bug:~ $ doas -u bob locale | grep LANG
LANG=

The expected result is that limits from class 'bob' are be applied (as happens
on OpenBSD).
Logging in as bob shows the expected limits:
bob@doas-bug:~ $ ulimit -m
4194304
bob@doas-bug:~ $ locale | grep LANG
LANG=en_US.UTF-8

-- 
You are receiving this mail because:
You are the assignee for the bug.