FreeBSD Bugzilla – Attachment 254060 Details for
Bug 281820
mdo: failed to call initgroups: Operation not permitted
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
WIP: Not thoroughly tested
bz_281820.patch (text/plain), 2.02 KB, created by
Jose Luis Duran
on 2024-10-06 20:40:59 UTC
(
hide
)
Description:
WIP: Not thoroughly tested
Filename:
MIME Type:
Creator:
Jose Luis Duran
Created:
2024-10-06 20:40:59 UTC
Size:
2.02 KB
patch
obsolete
>diff --git sys/security/mac_do/mac_do.c sys/security/mac_do/mac_do.c >index 507e64ea0175..2d8c2477f5b3 100644 >--- sys/security/mac_do/mac_do.c >+++ sys/security/mac_do/mac_do.c >@@ -409,10 +409,20 @@ init(struct mac_policy_conf *mpc) > static bool > rule_is_valid(struct ucred *cred, struct rule *r) > { >+ int i; >+ > if (r->from_type == RULE_UID && r->f_uid == cred->cr_uid) > return (true); >- if (r->from_type == RULE_GID && r->f_gid == cred->cr_gid) >- return (true); >+ if (r->from_type == RULE_GID) { >+ if (r->f_gid == cred->cr_gid) >+ return (true); >+ if (cred->cr_rgid == 0) >+ return (true); >+ for (i = 0; i < cred->cr_ngroups; i++) { >+ if (r->f_gid == cred->cr_groups[i]) >+ return (true); >+ } >+ } > return (false); > } > >@@ -457,13 +467,17 @@ check_setgroups(struct ucred *cred, int ngrp, gid_t *groups) > if (cred->cr_uid == 0) > return (0); > >+ PROC_UNLOCK(curproc); > if (vn_fullpath(curproc->p_textvp, &fullpath, &freebuf) != 0) > return (EPERM); >+ PROC_LOCK(curproc); > if (strcmp(fullpath, "/usr/bin/mdo") != 0) { >- free(freebuf, M_TEMP); >+ if (freebuf != NULL) >+ free(freebuf, M_TEMP); > return (EPERM); > } >- free(freebuf, M_TEMP); >+ if (freebuf != NULL) >+ free(freebuf, M_TEMP); > > rule = mac_do_rule_find(cred->cr_prison, &pr); > TAILQ_FOREACH(r, &rule->head, r_entries) { >@@ -492,17 +506,25 @@ check_setuid(struct ucred *cred, uid_t uid) > if (cred->cr_uid == uid || cred->cr_uid == 0 || cred->cr_ruid == 0) > return (0); > >+ PROC_UNLOCK(curproc); > if (vn_fullpath(curproc->p_textvp, &fullpath, &freebuf) != 0) > return (EPERM); >+ PROC_LOCK(curproc); > if (strcmp(fullpath, "/usr/bin/mdo") != 0) { >- free(freebuf, M_TEMP); >+ if (freebuf != NULL) >+ free(freebuf, M_TEMP); > return (EPERM); > } >- free(freebuf, M_TEMP); >+ if (freebuf != NULL) >+ free(freebuf, M_TEMP); > > error = EPERM; > rule = mac_do_rule_find(cred->cr_prison, &pr); > TAILQ_FOREACH(r, &rule->head, r_entries) { >+ if (rule_is_valid(cred, r)) { >+ error = 0; >+ break; >+ } > if (r->from_type == RULE_UID) { > if (cred->cr_uid != r->f_uid) > continue;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=254060">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 281820
: 254060