[Bug 256233] security/doas: target user's login class gets ignored

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 30 May 2021 15:37:41 +0000
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256233

--- Comment #3 from jsmith_at_resonatingmedia.com ---
Thank you for looking into this further.

I did some looking about in the code and manual pages and discovered the issue.
FreeBSD has a "class" field in the password structure which doesn't exist in
other supported platforms. Since it's a FreeBSD-ism it wasn't a field which was
set/checked in the code. Which meant when class resources were being set in
setusercontext() the class field would be blank and the system would just set
the defaults.

This has been changed upstream. When getting the password data doas will now
check if it is running on FreeBSD and, if so, copy the class field and use it
when applying login rules/limits.

I've tested this on FreeBSD 12.2 and confirmed restrictions like max memory
usage are being applied. The fix is now in the GitHub repo:
https://github.com/slicer69/doas

This was a small fix, just two lines in two files (doas.c and env.c). If you
could give the fixed code a test run and confirm it's using the proper limits
from the target that would be very helpful. Assuming it works and I don't run
into any problems on my other test systems, I'll publish a new version with the
fix.

-- 
You are receiving this mail because:
You are the assignee for the bug.
Received on Sun May 30 2021 - 15:37:41 UTC

Original text of this message