Bug 211622 - security/doas: doas doesn't enforce correct uid and gid with -u switch
Summary: security/doas: doas doesn't enforce correct uid and gid with -u switch
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: amd64 Any
: --- Affects Only Me
Assignee: Ben Woods
Depends on:
Reported: 2016-08-06 10:50 UTC by telnetuserid
Modified: 2016-08-24 15:33 UTC (History)
2 users (show)

See Also:
woodsb02: maintainer-feedback+

Patch to update port and correct this issue (1.18 KB, patch)
2016-08-06 21:13 UTC, jsmith
jsmith: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description telnetuserid 2016-08-06 10:50:37 UTC
Version: doas-5.9p4

FreeBSD freebsd-vm 11.0-BETA3 FreeBSD 11.0-BETA3 #0 r303469: Fri Jul 29 02:27:28 UTC 2016     root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

Using latest version of packages.

FreeBSD doas port leaking root privilege when running as users other than root and doesn't enforce uid and gid for the specified user.

In short words: -u switch doesn't work at all!

This may be related to bug #178284

$ doas -u nobody id
uid=0(root) gid=0(wheel) egid=1001(telnetuserid) groups=1001(telnetuserid),0(wheel)

permit keepenv { SSH_AUTH_SOCK ENV } :wheel
permit keepenv nopass root

For comparison, on openbsd 5.9 release.
OpenBSD openbsd-vm 5.9 GENERIC.MP#1888 amd64

$ doas -u nobody id
uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)

permit keepenv { ENV PKG_PATH SSH_AUTH_SOCK } :wheel
permit nopass keepenv root
Comment 1 jsmith 2016-08-06 20:41:31 UTC
Looks like this is fixed upstream so I will update the port to match.
Comment 2 jsmith 2016-08-06 21:13:30 UTC
Created attachment 173364 [details]
Patch to update port and correct this issue
Comment 3 telnetuserid 2016-08-08 02:07:03 UTC
I've compiled doas from upstream.
The correct uid and gid is enforced, but the issuer egid and groups identification is still exposed.

Can you make "portable" doas behave more like sudo or OpenBSD doas? Doas utility  doesn't need to expose caller's egid and groups with -u switch. Just plain uid, gid, and groups for the user to switch.

Doas compiled from upstream commit 8bec4dcaa6afb6f6b480a720edbc896bcb9ac69d

# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

# doas -u nobody id
uid=65534(nobody) gid=65534(nobody) egid=0(wheel) groups=0(wheel),5(operator)

# sudo -u nobody id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
Comment 4 Ben Woods freebsd_committer 2016-08-24 14:28:22 UTC
Jessie: thanks for your work on this, I am intending to commit it shortly.

Could you please mark commit 8bec4dc as release v5.9-5 in the GitHub repo, to ensure it matches with this port update?

Also, are you intending to look into the additional issue regarding egid and groups raised in comment #3?
Comment 5 jsmith 2016-08-24 14:56:03 UTC

The fixed upstream code has been tagged with v5.9-5 on GitHub.

Regarding the euid concern raised in #3, I do not see this is a bug. There isn't much point in hiding the user's own id information from themselves. If someone else wants to submit a pull request to change the behaviour I'll accept it, but I'm not going to change it myself.
Comment 6 commit-hook freebsd_committer 2016-08-24 15:32:44 UTC
A commit references this bug:

Author: woodsb02
Date: Wed Aug 24 15:31:59 UTC 2016
New revision: 420802
URL: https://svnweb.freebsd.org/changeset/ports/420802

  security/doas: Update to 5.9p5

  This update enforces the correct uid and gid when -u switch is used.

  PR:		211622
  Reported by:	telnetuserid@sdf.org
  Submitted by:	jsmith@resonatingmedia.com (maintainer)
  Approved by:	koobs, adamw (mentors)
  Relnotes:	https://github.com/slicer69/doas/releases/tag/v5.9-5
  Differential Revision:	https://reviews.freebsd.org/D7630

Comment 7 Ben Woods freebsd_committer 2016-08-24 15:33:05 UTC
Committed - thanks for reporting this telnetuserid@sdf.org, and for your patch and continued maintenance Jessie.