Date: Mon, 27 Mar 2006 01:40:10 GMT From: Tom Rhodes <trhodes@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/79705: mac_seeotherusids not blocking root Message-ID: <200603270140.k2R1eALd026741@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/79705; it has been noted by GNATS. From: Tom Rhodes <trhodes@FreeBSD.org> To: bug-followup@FreeBSD.org, matt@poole.net Cc: Subject: Re: kern/79705: mac_seeotherusids not blocking root Date: Sun, 26 Mar 2006 20:35:12 -0500 Hi Matthew, The mac_seeotheruids(4) module changed as it was too difficult for the root user to properly maintain a multi-user environment as was. There was also a report about breaking ident. Could you try the following patch and toggle the suser_privileged sysctl? It should fix your problem. Thanks, -- Tom Rhodes =================================================================== RCS file: /usr/local/www/cvsroot/FreeBSD/src/sys/security/mac_seeotheruids/mac_seeotheruids.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -p -r1.7 -r1.8 --- src/sys/security/mac_seeotheruids/mac_seeotheruids.c 2005/01/03 12:08:18 1.7 +++ src/sys/security/mac_seeotheruids/mac_seeotheruids.c 2005/09/30 23:41:10 1.8 @@ -84,6 +84,14 @@ SYSCTL_INT(_security_mac_seeotheruids, O "with the same real primary group id"); /* + * Exception: allow the root user to be aware of other credentials by virtue + * of privilege. + */ +static int suser_privileged = 1; +SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, suser_privileged, + CTLFLAG_RW, &suser_privileged, 0, "Make an exception for superuser"); + +/* * Exception: allow processes with a specific gid to be exempt from the * policy. One sysctl enables this functionality; the other sets the * exempt gid. @@ -117,8 +125,10 @@ mac_seeotheruids_check(struct ucred *u1, if (u1->cr_ruid == u2->cr_ruid) return (0); - if (suser_cred(u1, 0) == 0) - return (0); + if (suser_privileged) { + if (suser_cred(u1, 0) == 0) + return (0); + } return (ESRCH); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200603270140.k2R1eALd026741>