Version: doas-5.9p4 System: FreeBSD freebsd-vm 11.0-BETA3 FreeBSD 11.0-BETA3 #0 r303469: Fri Jul 29 02:27:28 UTC 2016 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 Using latest version of packages. FreeBSD doas port leaking root privilege when running as users other than root and doesn't enforce uid and gid for the specified user. In short words: -u switch doesn't work at all! This may be related to bug #178284 $ doas -u nobody id uid=0(root) gid=0(wheel) egid=1001(telnetuserid) groups=1001(telnetuserid),0(wheel) /usr/local/etc/doas.conf permit keepenv { SSH_AUTH_SOCK ENV } :wheel permit keepenv nopass root For comparison, on openbsd 5.9 release. OpenBSD openbsd-vm 5.9 GENERIC.MP#1888 amd64 $ doas -u nobody id uid=32767(nobody) gid=32767(nobody) groups=32767(nobody) /etc/doas.conf permit keepenv { ENV PKG_PATH SSH_AUTH_SOCK } :wheel permit nopass keepenv root
Looks like this is fixed upstream so I will update the port to match.
Created attachment 173364 [details] Patch to update port and correct this issue
I've compiled doas from upstream. The correct uid and gid is enforced, but the issuer egid and groups identification is still exposed. Can you make "portable" doas behave more like sudo or OpenBSD doas? Doas utility doesn't need to expose caller's egid and groups with -u switch. Just plain uid, gid, and groups for the user to switch. Doas compiled from upstream commit 8bec4dcaa6afb6f6b480a720edbc896bcb9ac69d # id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) # doas -u nobody id uid=65534(nobody) gid=65534(nobody) egid=0(wheel) groups=0(wheel),5(operator) # sudo -u nobody id uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
Jessie: thanks for your work on this, I am intending to commit it shortly. Could you please mark commit 8bec4dc as release v5.9-5 in the GitHub repo, to ensure it matches with this port update? Also, are you intending to look into the additional issue regarding egid and groups raised in comment #3?
Ben, The fixed upstream code has been tagged with v5.9-5 on GitHub. Regarding the euid concern raised in #3, I do not see this is a bug. There isn't much point in hiding the user's own id information from themselves. If someone else wants to submit a pull request to change the behaviour I'll accept it, but I'm not going to change it myself.
A commit references this bug: Author: woodsb02 Date: Wed Aug 24 15:31:59 UTC 2016 New revision: 420802 URL: https://svnweb.freebsd.org/changeset/ports/420802 Log: security/doas: Update to 5.9p5 This update enforces the correct uid and gid when -u switch is used. PR: 211622 Reported by: telnetuserid@sdf.org Submitted by: jsmith@resonatingmedia.com (maintainer) Approved by: koobs, adamw (mentors) Relnotes: https://github.com/slicer69/doas/releases/tag/v5.9-5 Differential Revision: https://reviews.freebsd.org/D7630 Changes: head/security/doas/Makefile head/security/doas/distinfo
Committed - thanks for reporting this telnetuserid@sdf.org, and for your patch and continued maintenance Jessie.