HomeFreeBSD

mac_do(4): Enhance GID rule validation to check all groups in cr_groups

Description

mac_do(4): Enhance GID rule validation to check all groups in cr_groups

Previously, the rule validation only checked the primary GID (cr_gid).
This caused issues when applying GID-based rules, as users with matching
secondary groups were not considered valid. This patch modifies both
functions to iterate through all groups in cr_groups to ensure all group
memberships are considered when validating GID-based rules.

For example, a user's primary group is staff (20) and they are also in
the wheel (0) group, this change allows the rule gid=0:any to enable
them to run commands as any user.

Reviewed by: delphij (earlier version), bapt
Differential Revision: https://reviews.freebsd.org/D47304

Details

Provenance
lwhsuAuthored on Oct 28 2024, 6:58 PM
Reviewer
delphij
Differential Revision
D47304: mac_do(4): Enhance GID rule validation to check all groups in cr_groups
Parents
rG7200d90644ba: ktls.4: note that security/gnutls now supports ktls
Branches
Unknown
Tags
Unknown