hardenedbsd/HardenedBSD
1
0
Fork 0
mirror of https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git synced 2024-11-21 18:50:50 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

mac_do(4): Enhance GID rule validation to check all groups in cr_groups

Browse Source 
Previously, the rule validation only checked the primary GID (cr_gid).
This caused issues when applying GID-based rules, as users with matching
secondary groups were not considered valid. This patch modifies both
functions to iterate through all groups in cr_groups to ensure all group
memberships are considered when validating GID-based rules.

For example, a user's primary group is staff (20) and they are also in
the wheel (0) group, this change allows the rule gid=0:any to enable
them to run commands as any user.

Reviewed by:	delphij (earlier version), bapt
Differential Revision:	https://reviews.freebsd.org/D47304
This commit is contained in:
Li-Wen Hsu 2024-10-29 02:58:12 +08:00
parent 7200d90644
commit 7937bfbc0c
No known key found for this signature in database
GPG Key ID: 7377A4A02A2954DD
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/security/mac_do/mac_do.c
View File

@ -411,7 +411,7 @@ rule_is_valid(struct ucred *cred, struct rule *r)
{
if (r->from_type == RULE_UID && r->f_uid == cred->cr_uid)
return (true);
if (r->from_type == RULE_GID && r->f_gid == cred->cr_gid)
if (r->from_type == RULE_GID && groupmember(r->f_gid, cred))
return (true);
return (false);
}
@ -516,7 +516,7 @@ check_setuid(struct ucred *cred, uid_t uid)
}
}
if (r->from_type == RULE_GID) {
if (cred->cr_gid != r->f_gid)
if (!groupmember(r->f_gid, cred))
continue;
if (r->to_type == RULE_ANY) {
error = 0;