Page MenuHomeFreeBSD
Differential D47304

mac_do(4): Enhance GID rule validation to check all groups in cr_groups
ClosedPublic
Actions

Authored by lwhsu on Oct 28 2024, 6:36 AM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Jan 7, 5:10 AM
Unknown Object (File)
Dec 26 2024, 1:46 PM
Unknown Object (File)
Dec 25 2024, 6:53 AM
Unknown Object (File)
Dec 11 2024, 2:57 AM
Unknown Object (File)
Dec 10 2024, 4:11 PM
Unknown Object (File)
Dec 3 2024, 8:20 PM
Unknown Object (File)
Nov 24 2024, 8:45 PM
Unknown Object (File)
Nov 24 2024, 3:01 PM
View All 30 Files
Subscribers
imp

Details

Reviewers
bapt
delphij
Commits
rG7937bfbc0ca5: mac_do(4): Enhance GID rule validation to check all groups in cr_groups
Summary

Previously, the rule validation only checked the primary GID (cr_gid)
This caused issues when applying GID-based rules, as users with matching
secondary groups were not considered valid. This patch modifies both
functions to iterate through all groups in cr_groups to ensure all group
memberships are considered when validating GID-based rules.

For example, an user's primary group is staff (20) and is also in the
wheel (0) group, with this change, the rule gid=0:any works for enabling
them to run command as any user.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

lwhsu created this revision.Oct 28 2024, 6:36 AM
Herald added a subscriber: imp. · View Herald TranscriptOct 28 2024, 6:36 AM
lwhsu requested review of this revision.Oct 28 2024, 6:36 AM
Harbormaster completed remote builds in B60212: Diff 145516.Oct 28 2024, 6:36 AM
delphij added a comment.Oct 28 2024, 8:18 AM

I think code should be using groupmember(9) instead of rolling our own.

sys/security/mac_do/mac_do.c
416–418

Maybe just:

if (groupmember(r->f_gid, cred))
    return (true);

?

527

The matching should use groupmember(), e.g.:

if (groupmember(r->f_gid, cred)) {
    if (r->to_type == RULE_ANY || (r->to_type == RULE_UID && uid == r->t_uid))
        error = 0;
        break;
    }
}
lwhsu updated this revision to Diff 145519.Oct 28 2024, 8:36 AM

Use groupmember(9)

Harbormaster completed remote builds in B60213: Diff 145519.Oct 28 2024, 8:36 AM
lwhsu updated this revision to Diff 145520.Oct 28 2024, 8:38 AM

Trim sneaked added empty line

Harbormaster completed remote builds in B60214: Diff 145520.Oct 28 2024, 8:38 AM
lwhsu marked 2 inline comments as done.Oct 28 2024, 10:12 AM
bapt accepted this revision.Oct 28 2024, 3:43 PM
This revision is now accepted and ready to land.Oct 28 2024, 3:43 PM
Closed by commit rG7937bfbc0ca5: mac_do(4): Enhance GID rule validation to check all groups in cr_groups (authored by lwhsu). · Explain WhyOct 28 2024, 6:58 PM
This revision was automatically updated to reflect the committed changes.
lwhsu added a commit: rG7937bfbc0ca5: mac_do(4): Enhance GID rule validation to check all groups in cr_groups.
olce mentioned this in D47343: cred: Constify signature of groupmember() and realgroupmember().Oct 30 2024, 6:26 PM

Revision Contents
Changeset List

PathSize
sys/
security/
mac_do/
4 lines

Diff 145557

View Options

sys/security/mac_do/mac_do.c

Loading...