HardenedBSD

mirror of https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git synced 2024-11-21 18:50:50 +01:00

History

Li-Wen Hsu 7937bfbc0c mac_do(4): Enhance GID rule validation to check all groups in cr_groups Previously, the rule validation only checked the primary GID (cr_gid). This caused issues when applying GID-based rules, as users with matching secondary groups were not considered valid. This patch modifies both functions to iterate through all groups in cr_groups to ensure all group memberships are considered when validating GID-based rules. For example, a user's primary group is staff (20) and they are also in the wheel (0) group, this change allows the rule gid=0:any to enable them to run commands as any user. Reviewed by: delphij (earlier version), bapt Differential Revision: https://reviews.freebsd.org/D47304	2024-10-29 02:58:12 +08:00
..
mac_do.c	mac_do(4): Enhance GID rule validation to check all groups in cr_groups	2024-10-29 02:58:12 +08:00

mac_do(4): Enhance GID rule validation to check all groups in cr_groups

Previously, the rule validation only checked the primary GID (cr_gid).
This caused issues when applying GID-based rules, as users with matching
secondary groups were not considered valid. This patch modifies both
functions to iterate through all groups in cr_groups to ensure all group
memberships are considered when validating GID-based rules.

For example, a user's primary group is staff (20) and they are also in
the wheel (0) group, this change allows the rule gid=0:any to enable
them to run commands as any user.

Reviewed by:	delphij (earlier version), bapt
Differential Revision:	https://reviews.freebsd.org/D47304

2024-10-29 02:58:12 +08:00

mac_do.c

mac_do(4): Enhance GID rule validation to check all groups in cr_groups

2024-10-29 02:58:12 +08:00