HomeFreeBSD
Diffusion FreeBSD src repository 26ff4836c888

cr_canseeothergids(): Use real instead of effective group membership
26ff4836c888
Actions

Description

cr_canseeothergids(): Use real instead of effective group membership

Using the effective group and not the real one when testing membership
has the consequence that unprivileged processes cannot see setuid
commands they launch until these have relinquished their privileges.
This is also in contradiction with how the similar cr_canseeotheruids()
works, i.e., by taking into account real user IDs.

Fix this by substituting groupmember() with realgroupmember(). While
here, simplify the code.

Approved by: re (gjb)
PR: 272093
Reviewed by: mhorne
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40642
Differential Revision: https://reviews.freebsd.org/D40644

(cherry picked from commit 91658080f1a598ddda03943a783c9a941199f7d2)
(cherry picked from commit 0452dd841336cea7cd979b13ef12b6ea5e992eff)
(cherry picked from commit 4e7cea61051abc476c64e4a996397235f5a881bc)

Details

Provenance
olceAuthored on Aug 17 2023, 11:54 PM
mhorneCommitted on Oct 18 2023, 6:01 PM
Reviewer
mhorne
Differential Revision
D40642: cr_canseeothergids(): Use real instead of effective group membership
Parents
rG4750f117a060: New realgroupmember()
Branches
Unknown
Tags
Unknown

Changes (3)

PathSize
share/
man/
man9/
sys/
kern/

rG26ff4836c888

View Options

share/man/man9/cr_bsd_visible.9

Loading...
View Options

share/man/man9/cr_canseeothergids.9

Loading...
View Options

sys/kern/kern_prot.c

Loading...