kern/72238: mac_seeotheruids restricts root
Björn König
bkoenig at cs.tu-berlin.de
Fri Oct 1 12:40:37 PDT 2004
>Number: 72238
>Category: kern
>Synopsis: mac_seeotheruids restricts root
>Confidential: no
>Severity: non-critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Fri Oct 01 19:40:12 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Björn König
>Release: FreeBSD 5.2.1
>Organization:
>Environment:
affects all FreeBSD 5 versions up to CURRENT
>Description:
mac_seeotheruids hides processes and connections from root. This is unsuitable because its hard for root to maintain a multi-user server. Another problem for example is that an ident daemon can't work properly.
>How-To-Repeat:
Load the kernel module
"kldload mac_seeotheruids"
Execute as root
"sockstat"
"ps aux"
It shows only root's connections and processes.
>Fix:
Apply this patch
--- src/sys/security/mac_seeotheruids/mac_seeotheruids.c.orig Thu Mar 27 20:26:39 2003
+++ src/sys/security/mac_seeotheruids/mac_seeotheruids.c Fri Oct 1 21:32:13 2004
@@ -104,6 +104,9 @@
if (!mac_seeotheruids_enabled)
return (0);
+ if (u1->cr_ruid == 0)
+ return (0);
+
if (primarygroup_enabled) {
if (u1->cr_rgid == u2->cr_rgid)
return (0);
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list