[Bug 256233] security/doas: target user's login class gets ignored
- In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 256233] security/doas: target user's login class gets ignored"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 30 May 2021 15:37:41 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256233 --- Comment #3 from jsmith@resonatingmedia.com --- Thank you for looking into this further. I did some looking about in the code and manual pages and discovered the issue. FreeBSD has a "class" field in the password structure which doesn't exist in other supported platforms. Since it's a FreeBSD-ism it wasn't a field which was set/checked in the code. Which meant when class resources were being set in setusercontext() the class field would be blank and the system would just set the defaults. This has been changed upstream. When getting the password data doas will now check if it is running on FreeBSD and, if so, copy the class field and use it when applying login rules/limits. I've tested this on FreeBSD 12.2 and confirmed restrictions like max memory usage are being applied. The fix is now in the GitHub repo: https://github.com/slicer69/doas This was a small fix, just two lines in two files (doas.c and env.c). If you could give the fixed code a test run and confirm it's using the proper limits from the target that would be very helpful. Assuming it works and I don't run into any problems on my other test systems, I'll publish a new version with the fix. -- You are receiving this mail because: You are the assignee for the bug.