Bug 271750 - setusercontext(): Apply user '.login_conf' on process' effective uid being set
Summary: setusercontext(): Apply user '.login_conf' on process' effective uid being set
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: Olivier Certner
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-05-31 16:01 UTC by Olivier Certner
Modified: 2024-02-14 06:06 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Olivier Certner freebsd_committer freebsd_triage 2023-05-31 16:01:31 UTC 
This is a security measure to prevent setting priorities from a file controlled by the target user while the effective user has potentially more privileges.

It's probably what was intended in commit 35305a8dc114 (r211393) (in which case, this is a fix for it).
Comment 1 commit-hook freebsd_committer freebsd_triage 2023-10-10 01:58:45 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=892654fe9b5a9115815c30a423b8db47185aebbd

commit 892654fe9b5a9115815c30a423b8db47185aebbd
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-05-30 16:35:08 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-10-10 01:47:10 +0000

    setusercontext(): Apply personal settings only on matching effective UID

    Commit 35305a8dc114 (r211393) added a check on whether 'uid' was equal
    to getuid() before calling setlogincontext().  Doing so still allows
    a setuid program to apply resource limits and priorities specified in
    a user-controlled configuration file ('~/.login_conf') where
    a non-setuid program could not.  Plug the hole by checking instead that
    the process' effective UID is the target one (which is likely what was
    meant in the initial commit).

    PR:                     271750
    Reviewed by:            kib, des
    MFC after:              2 weeks
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40351

 lib/libutil/login_class.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2023-10-24 00:58:06 UTC 
A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=ede6fd06726c02e9d2a5c47ac8cf80d8aaec5a70

commit ede6fd06726c02e9d2a5c47ac8cf80d8aaec5a70
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-05-30 16:35:08 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-10-24 00:57:11 +0000

    setusercontext(): Apply personal settings only on matching effective UID

    Commit 35305a8dc114 (r211393) added a check on whether 'uid' was equal
    to getuid() before calling setlogincontext().  Doing so still allows
    a setuid program to apply resource limits and priorities specified in
    a user-controlled configuration file ('~/.login_conf') where
    a non-setuid program could not.  Plug the hole by checking instead that
    the process' effective UID is the target one (which is likely what was
    meant in the initial commit).

    PR:                     271750
    Reviewed by:            kib, des
    MFC after:              2 weeks
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40351

    (cherry picked from commit 892654fe9b5a9115815c30a423b8db47185aebbd)

 lib/libutil/login_class.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2023-12-21 13:45:04 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=9fcf54d3750e379868e51e4aa7fbf696877ab2ed

commit 9fcf54d3750e379868e51e4aa7fbf696877ab2ed
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-05-30 16:35:08 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2023-12-21 13:39:03 +0000

    setusercontext(): Apply personal settings only on matching effective UID

    Commit 35305a8dc114 (r211393) added a check on whether 'uid' was equal
    to getuid() before calling setlogincontext().  Doing so still allows
    a setuid program to apply resource limits and priorities specified in
    a user-controlled configuration file ('~/.login_conf') where
    a non-setuid program could not.  Plug the hole by checking instead that
    the process' effective UID is the target one (which is likely what was
    meant in the initial commit).

    PR:                     271750
    Reviewed by:            kib, des
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40351

    (cherry picked from commit 892654fe9b5a9115815c30a423b8db47185aebbd)

    Approved by:    markj (mentor)

 lib/libutil/login_class.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 Mark Linimon freebsd_committer freebsd_triage 2023-12-27 12:26:02 UTC 
^Triage: assign to committer that resolved and MFCed.
Comment 5 commit-hook freebsd_committer freebsd_triage 2024-02-14 06:06:37 UTC 
A commit in branch releng/14.0 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=c2a9cfc55046127176c74f86c24509ceb9da3551

commit c2a9cfc55046127176c74f86c24509ceb9da3551
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2023-05-30 16:35:08 +0000
Commit:     Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2024-02-14 05:35:46 +0000

    setusercontext(): Apply personal settings only on matching effective UID

    Commit 35305a8dc114 (r211393) added a check on whether 'uid' was equal
    to getuid() before calling setlogincontext().  Doing so still allows
    a setuid program to apply resource limits and priorities specified in
    a user-controlled configuration file ('~/.login_conf') where
    a non-setuid program could not.  Plug the hole by checking instead that
    the process' effective UID is the target one (which is likely what was
    meant in the initial commit).

    PR:                     271750
    Reviewed by:            kib, des
    MFC after:              2 weeks
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40351
    Approved by:            so
    Security:               FreeBSD-EN-24:02.libutil

    (cherry picked from commit 892654fe9b5a9115815c30a423b8db47185aebbd)
    (cherry picked from commit ede6fd06726c02e9d2a5c47ac8cf80d8aaec5a70)

 lib/libutil/login_class.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 commit-hook freebsd_committer freebsd_triage 2024-02-14 06:06:38 UTC 
A commit in branch releng/13.2 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=9deb5ca77bebd98f6b9d1f5640546dc0a15a8deb

commit 9deb5ca77bebd98f6b9d1f5640546dc0a15a8deb
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2023-05-30 16:35:08 +0000
Commit:     Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2024-02-14 05:36:19 +0000

    setusercontext(): Apply personal settings only on matching effective UID

    Commit 35305a8dc114 (r211393) added a check on whether 'uid' was equal
    to getuid() before calling setlogincontext().  Doing so still allows
    a setuid program to apply resource limits and priorities specified in
    a user-controlled configuration file ('~/.login_conf') where
    a non-setuid program could not.  Plug the hole by checking instead that
    the process' effective UID is the target one (which is likely what was
    meant in the initial commit).

    PR:                     271750
    Reviewed by:            kib, des
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40351
    Approved by:            so
    Security:               FreeBSD-EN-24:02.libutil

    (cherry picked from commit 892654fe9b5a9115815c30a423b8db47185aebbd)

    Approved by:    markj (mentor)

    (cherry picked from commit 9fcf54d3750e379868e51e4aa7fbf696877ab2ed)

 lib/libutil/login_class.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)