Bug 272093 - The 'see_other_gids' security policy considers the effective group IDs and not the real ones
Summary: The 'see_other_gids' security policy considers the effective group IDs and no...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: Olivier Certner
URL: https://reviews.freebsd.org/D40644
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-20 13:03 UTC by Olivier Certner
Modified: 2024-01-05 15:48 UTC (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Olivier Certner freebsd_committer freebsd_triage 2023-06-20 13:03:19 UTC 
This has the consequence that unprivileged processes cannot see setuid commands they launch until these have relinquished their privileges.

This is also in contradiction with how the parallel 'see_other_uids' work, i.e., by taking into account real user IDs.

Fix to be referenced after bug creation.
Comment 1 commit-hook freebsd_committer freebsd_triage 2023-09-28 15:11:18 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=91658080f1a598ddda03943a783c9a941199f7d2

commit 91658080f1a598ddda03943a783c9a941199f7d2
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-08-17 23:54:45 +0000
Commit:     Mitchell Horne <mhorne@FreeBSD.org>
CommitDate: 2023-09-28 15:05:46 +0000

    cr_canseeothergids(): Use real instead of effective group membership

    Using the effective group and not the real one when testing membership
    has the consequence that unprivileged processes cannot see setuid
    commands they launch until these have relinquished their privileges.
    This is also in contradiction with how the similar cr_canseeotheruids()
    works, i.e., by taking into account real user IDs.

    Fix this by substituting groupmember() with realgroupmember().  While
    here, simplify the code.

    PR:                     272093
    Reviewed by:            mhorne
    MFC after:              2 weeks
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40642

 sys/kern/kern_prot.c | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2023-09-28 15:11:22 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=0452dd841336cea7cd979b13ef12b6ea5e992eff

commit 0452dd841336cea7cd979b13ef12b6ea5e992eff
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-08-17 23:54:46 +0000
Commit:     Mitchell Horne <mhorne@FreeBSD.org>
CommitDate: 2023-09-28 15:05:46 +0000

    cr_canseeothergids(): Policy change's manual pages impact

    See previous commit that made cr_canseeothergids() use the new
    realgroupmember() function, taking into account real group IDs instead
    of effective ones.

    PR:                     272093
    Reviewed by:            pauamma_gundo.com, mhorne
    MFC after:              2 weeks
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40644

 share/man/man9/cr_bsd_visible.9     | 2 +-
 share/man/man9/cr_canseeothergids.9 | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2023-10-17 19:44:04 UTC 
A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=f482bc958437e90cf8eb3a9e45e92efeb0b2556e

commit f482bc958437e90cf8eb3a9e45e92efeb0b2556e
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-08-17 23:54:45 +0000
Commit:     Mitchell Horne <mhorne@FreeBSD.org>
CommitDate: 2023-10-17 19:42:59 +0000

    cr_canseeothergids(): Use real instead of effective group membership

    Using the effective group and not the real one when testing membership
    has the consequence that unprivileged processes cannot see setuid
    commands they launch until these have relinquished their privileges.
    This is also in contradiction with how the similar cr_canseeotheruids()
    works, i.e., by taking into account real user IDs.

    Fix this by substituting groupmember() with realgroupmember().  While
    here, simplify the code.

    PR:                     272093
    Reviewed by:            mhorne
    MFC after:              2 weeks
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40642
    Differential Revision:  https://reviews.freebsd.org/D40644

    (cherry picked from commit 91658080f1a598ddda03943a783c9a941199f7d2)
    (cherry picked from commit 0452dd841336cea7cd979b13ef12b6ea5e992eff)

 share/man/man9/cr_bsd_visible.9     |  2 +-
 share/man/man9/cr_canseeothergids.9 |  8 ++++----
 sys/kern/kern_prot.c                | 23 ++++++++++-------------
 3 files changed, 15 insertions(+), 18 deletions(-)
Comment 4 commit-hook freebsd_committer freebsd_triage 2023-10-18 18:05:01 UTC 
A commit in branch releng/14.0 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=26ff4836c88812b9ee03c4cc127ba2b467173a0e

commit 26ff4836c88812b9ee03c4cc127ba2b467173a0e
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-08-17 23:54:45 +0000
Commit:     Mitchell Horne <mhorne@FreeBSD.org>
CommitDate: 2023-10-18 18:01:49 +0000

    cr_canseeothergids(): Use real instead of effective group membership

    Using the effective group and not the real one when testing membership
    has the consequence that unprivileged processes cannot see setuid
    commands they launch until these have relinquished their privileges.
    This is also in contradiction with how the similar cr_canseeotheruids()
    works, i.e., by taking into account real user IDs.

    Fix this by substituting groupmember() with realgroupmember().  While
    here, simplify the code.

    Approved by:            re (gjb)
    PR:                     272093
    Reviewed by:            mhorne
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40642
    Differential Revision:  https://reviews.freebsd.org/D40644

    (cherry picked from commit 91658080f1a598ddda03943a783c9a941199f7d2)
    (cherry picked from commit 0452dd841336cea7cd979b13ef12b6ea5e992eff)
    (cherry picked from commit 4e7cea61051abc476c64e4a996397235f5a881bc)

 share/man/man9/cr_bsd_visible.9     |  2 +-
 share/man/man9/cr_canseeothergids.9 |  8 ++++----
 sys/kern/kern_prot.c                | 23 ++++++++++-------------
 3 files changed, 15 insertions(+), 18 deletions(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2023-12-21 13:45:03 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=0297e7213c0c0ce8bd7bdc107da953e8fb6b5815

commit 0297e7213c0c0ce8bd7bdc107da953e8fb6b5815
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-08-17 23:54:46 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2023-12-21 13:38:15 +0000

    cr_canseeothergids(): Policy change's manual pages impact

    See previous commit that made cr_canseeothergids() use the new
    realgroupmember() function, taking into account real group IDs instead
    of effective ones.

    PR:                     272093
    Reviewed by:            pauamma_gundo.com, mhorne
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40644

    (cherry picked from commit 0452dd841336cea7cd979b13ef12b6ea5e992eff)

    Approved by:    markj (mentor)

 share/man/man9/cr_bsd_visible.9     | 2 +-
 share/man/man9/cr_canseeothergids.9 | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)
Comment 6 commit-hook freebsd_committer freebsd_triage 2023-12-21 13:45:05 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=f0951233c6d33da3c9a6bc347d9ae7aa911d7ca9

commit f0951233c6d33da3c9a6bc347d9ae7aa911d7ca9
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-08-17 23:54:45 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2023-12-21 13:38:07 +0000

    cr_canseeothergids(): Use real instead of effective group membership

    Using the effective group and not the real one when testing membership
    has the consequence that unprivileged processes cannot see setuid
    commands they launch until these have relinquished their privileges.
    This is also in contradiction with how the similar cr_canseeotheruids()
    works, i.e., by taking into account real user IDs.

    Fix this by substituting groupmember() with realgroupmember().  While
    here, simplify the code.

    PR:                     272093
    Reviewed by:            mhorne
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40642

    (cherry picked from commit 91658080f1a598ddda03943a783c9a941199f7d2)

    Approved by:    markj (mentor)

 sys/kern/kern_prot.c | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)
Comment 7 Olivier Certner freebsd_committer freebsd_triage 2024-01-05 15:48:20 UTC 
Assign to resolver (me).