Bug 211622

Summary: security/doas: doas doesn't enforce correct uid and gid with -u switch
Product: Ports & Packages Reporter: telnetuserid
Component: Individual Port(s)Assignee: Ben Woods <woodsb02>
Status: Closed FIXED    
Severity: Affects Only Me CC: jsmith, woodsb02
Priority: --- Flags: woodsb02: maintainer-feedback+
Version: Latest   
Hardware: amd64   
OS: Any   
Attachments:
Description Flags
Patch to update port and correct this issue jsmith: maintainer-approval+

Description telnetuserid 2016-08-06 10:50:37 UTC 
Version: doas-5.9p4

System:
FreeBSD freebsd-vm 11.0-BETA3 FreeBSD 11.0-BETA3 #0 r303469: Fri Jul 29 02:27:28 UTC 2016     root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

Using latest version of packages.

FreeBSD doas port leaking root privilege when running as users other than root and doesn't enforce uid and gid for the specified user.

In short words: -u switch doesn't work at all!

This may be related to bug #178284

$ doas -u nobody id
uid=0(root) gid=0(wheel) egid=1001(telnetuserid) groups=1001(telnetuserid),0(wheel)

/usr/local/etc/doas.conf
permit keepenv { SSH_AUTH_SOCK ENV } :wheel
permit keepenv nopass root

For comparison, on openbsd 5.9 release.
OpenBSD openbsd-vm 5.9 GENERIC.MP#1888 amd64

$ doas -u nobody id
uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)

/etc/doas.conf
permit keepenv { ENV PKG_PATH SSH_AUTH_SOCK } :wheel
permit nopass keepenv root
Comment 1 Jesse Smith 2016-08-06 20:41:31 UTC 
Looks like this is fixed upstream so I will update the port to match.
Comment 2 Jesse Smith 2016-08-06 21:13:30 UTC 
Created attachment 173364 [details]
Patch to update port and correct this issue
Comment 3 telnetuserid 2016-08-08 02:07:03 UTC 
I've compiled doas from upstream.
The correct uid and gid is enforced, but the issuer egid and groups identification is still exposed.

Can you make "portable" doas behave more like sudo or OpenBSD doas? Doas utility  doesn't need to expose caller's egid and groups with -u switch. Just plain uid, gid, and groups for the user to switch.

Doas compiled from upstream commit 8bec4dcaa6afb6f6b480a720edbc896bcb9ac69d

# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

# doas -u nobody id
uid=65534(nobody) gid=65534(nobody) egid=0(wheel) groups=0(wheel),5(operator)

# sudo -u nobody id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
Comment 4 Ben Woods freebsd_committer freebsd_triage 2016-08-24 14:28:22 UTC 
Jessie: thanks for your work on this, I am intending to commit it shortly.

Could you please mark commit 8bec4dc as release v5.9-5 in the GitHub repo, to ensure it matches with this port update?

Also, are you intending to look into the additional issue regarding egid and groups raised in comment #3?
Comment 5 Jesse Smith 2016-08-24 14:56:03 UTC 
Ben,

The fixed upstream code has been tagged with v5.9-5 on GitHub.

Regarding the euid concern raised in #3, I do not see this is a bug. There isn't much point in hiding the user's own id information from themselves. If someone else wants to submit a pull request to change the behaviour I'll accept it, but I'm not going to change it myself.
Comment 6 commit-hook freebsd_committer freebsd_triage 2016-08-24 15:32:44 UTC 
A commit references this bug:

Author: woodsb02
Date: Wed Aug 24 15:31:59 UTC 2016
New revision: 420802
URL: https://svnweb.freebsd.org/changeset/ports/420802

Log:
  security/doas: Update to 5.9p5

  This update enforces the correct uid and gid when -u switch is used.

  PR:		211622
  Reported by:	telnetuserid@sdf.org
  Submitted by:	jsmith@resonatingmedia.com (maintainer)
  Approved by:	koobs, adamw (mentors)
  Relnotes:	https://github.com/slicer69/doas/releases/tag/v5.9-5
  Differential Revision:	https://reviews.freebsd.org/D7630

Changes:
  head/security/doas/Makefile
  head/security/doas/distinfo
Comment 7 Ben Woods freebsd_committer freebsd_triage 2016-08-24 15:33:05 UTC 
Committed - thanks for reporting this telnetuserid@sdf.org, and for your patch and continued maintenance Jessie.