When using the mac_biba module, only root processes that are capable of attaining biba/equal status are considered privileged. Among the privileges to be lost for processes that cannot attain biba/equal is the ability to set the login class of the process. When sshd sets the user's context upon successful authentication (session.c:1494), both the user's login class and the corresponding MAC label are set in the same call to setusercontext. Since this isn't an atomic function, it's possible for the MAC label to be set before the login class (in my case, this certainly happens.) Therefore, if the login class of the user logging in has a MAC label in /etc/login.conf incompatible with biba/equal (e.g. biba/high(high-high)) then the login class might not be set (in my case it *doesn't* get set.) This can cause unexpected behavior for tools that can be configured by login class, e.g. rctl. My proposed solution is to separate context-setting into two calls to setusercontext, with the first call setting all but LOGIN_SETMAC, and the second call setting only LOGIN_SETMAC. I've included a patch, which works on my system. Fix: Patch /usr/src/crypto/openssh/session.c so that the MAC label is explicitly set after the login class is set. Patch attached with submission follows: How-To-Repeat: - Enable mac_biba. - Set the MAC label of a login class to ":label=biba/high(high-high):" in /etc/login.conf and run cap_mkdb. By default, sshd will probably run under the "default" login class; therefore, use a different login class so that a change in login class is required upon login. - Log in remotely as a user who is a member of the login class modified in the step above. The login should succeed. - Look at /var/log/messages for a message regarding setloginclass, and/or use `ps -o class -aux | grep sshd` to verify that the login class hasn't been set properly for the logged-in user.
(The following comment did not carry over when the bug report was migrated to the new system.) From: Kevin Barry <ta0kira@gmail.com> [submitter] To: bug-followup@FreeBSD.org, ta0kira@gmail.com Date: Sun, 7 Apr 2013 23:50:35 -0400 I submitted this bug report earlier, and since then I've noticed that /usr/bin/login suffers from the same problem. I've therefore made a change to libutil to make setusercontext set the MAC label right before the uid change. I've attached a separate patch that should universally fix the problem. This also makes my previous sshd patch obsolete. Incidentally, this should be reclassified as a bug in libutil.
(The following comment did not carry over when the bug report was migrated to the new system.) From: Kevin Barry <ta0kira@gmail.com> [submitter] To: bug-followup@FreeBSD.org, ta0kira@gmail.com Date: Fri, 12 Apr 2013 15:20:10 -0400 Here's a new patch for login_class.c. As far as I can tell there is no reason to require that a passwd entry be specified in order to set the MAC label; therefore, I removed that requirement. Additionally, the current implementation silently fails to set the MAC label when the pwd argument is NULL, and silent failure when it comes to security isn't a good thing. While not directly related to the original problem, it's related to the underlying issue, which is that the handling of MAC labels in setusercontext has several bugs in need of fixing.
I will try to look into this.
Created attachment 221063 [details] libutil patch updated for 12.2-RELEASE
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>
Created attachment 257858 [details] libutil patch updated for 12.2-RELEASE ^Triage: rebase patch.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=98edcbcce0a4650084bd86e704cfa38bf590250c commit 98edcbcce0a4650084bd86e704cfa38bf590250c Author: Kyle Evans <kevans@FreeBSD.org> AuthorDate: 2025-10-29 02:37:21 +0000 Commit: Kyle Evans <kevans@FreeBSD.org> CommitDate: 2025-10-29 02:37:21 +0000 libutil: defer setting the MAC label until after the login class MAC policies, like mac_biba(4), may forbid changing the login class once a label has been applied. For setting up the initial login context, this isn't really expected and in-fact may break some class-based configuration. Defer setting the MAC label until after the login class is set, and remove the requirement that we have a pwd entry since the label is pulled from the login class -- we only use pwd for syslog in this path. Patch is largely by Kevin Barry, with some modifications and this commit message by kevans@. PR: 177698 Reviewed by: des, olce MFC after: 3 days Co-authored-by: Kevin Barry <ta0kira gmail com> Differential Revision: https://reviews.freebsd.org/D53362 lib/libutil/login_class.c | 55 ++++++++++++++++++++++++++--------------------- 1 file changed, 30 insertions(+), 25 deletions(-)
^Triage: assign to committer and set MFC flags (if desired).