Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 27 Mar 2006 01:40:10 GMT
From:      Tom Rhodes <trhodes@FreeBSD.org>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: kern/79705: mac_seeotherusids not blocking root
Message-ID:  <200603270140.k2R1eALd026741@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The following reply was made to PR kern/79705; it has been noted by GNATS.

From: Tom Rhodes <trhodes@FreeBSD.org>
To: bug-followup@FreeBSD.org, matt@poole.net
Cc:  
Subject: Re: kern/79705: mac_seeotherusids not blocking root
Date: Sun, 26 Mar 2006 20:35:12 -0500

 Hi Matthew,
 
 The mac_seeotheruids(4) module changed as it was too difficult
 for the root user to properly maintain a multi-user environment
 as was.  There was also a report about breaking ident.  Could you
 try the following patch and toggle the suser_privileged sysctl?
 It should fix your problem.  Thanks,
 
 -- 
 Tom Rhodes
 
 
 ===================================================================
 RCS file: /usr/local/www/cvsroot/FreeBSD/src/sys/security/mac_seeotheruids/mac_seeotheruids.c,v
 retrieving revision 1.7
 retrieving revision 1.8
 diff -u -p -r1.7 -r1.8
 --- src/sys/security/mac_seeotheruids/mac_seeotheruids.c	2005/01/03 12:08:18	1.7
 +++ src/sys/security/mac_seeotheruids/mac_seeotheruids.c	2005/09/30 23:41:10	1.8
 @@ -84,6 +84,14 @@ SYSCTL_INT(_security_mac_seeotheruids, O
      "with the same real primary group id");
  
  /*
 + * Exception: allow the root user to be aware of other credentials by virtue
 + * of privilege.
 + */
 +static int	suser_privileged = 1;
 +SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, suser_privileged,
 +    CTLFLAG_RW, &suser_privileged, 0, "Make an exception for superuser");
 +
 +/*
   * Exception: allow processes with a specific gid to be exempt from the
   * policy.  One sysctl enables this functionality; the other sets the
   * exempt gid.
 @@ -117,8 +125,10 @@ mac_seeotheruids_check(struct ucred *u1,
  	if (u1->cr_ruid == u2->cr_ruid)
  		return (0);
  
 -	if (suser_cred(u1, 0) == 0)
 -		return (0);
 +	if (suser_privileged) {
 +		if (suser_cred(u1, 0) == 0)
 +			return (0);
 +	}
  
  	return (ESRCH);
  }

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200603270140.k2R1eALd026741>