From nobody Thu Jun 27 08:48:36 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W8sfs11Qpz5PFHR; Thu, 27 Jun 2024 08:48:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W8sfr4dQDz4T0P; Thu, 27 Jun 2024 08:48:36 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1719478116; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NTc05Tb0XH43F926/oaYaOE2KZ7nu4TCqEq6Kx3THzQ=; b=aG8k5VoWnLShhNRX2Gy9m2zZkSRz1M1GCXq2VwgFZB+Jq8MzacfTtutNE3/ouZz3riYmMu ScmOIT+qSHEAvmaDIpTc/ELl52G8e1eFwzolMkySkMWE5wzbcn11ihbCGEfE6xlqOp5rqs RzO0vxzMbNVtCHaTiickjz4jtu8kncA3781FnZTH2W5WKcYCbIB5LeBLAKBCBnIFKsAINt e/iNG/Loviy9pKi4rSW6bXupiKUGo+jPhxBNGBFs1WTH/SnR2qsyGBebLYXhEXxjHrb2Al slD3rbMWS29sjoNEOoaMphdXAW7IO08nkC2CI+jInw8HT7NHPqQyECTczmiE4A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1719478116; a=rsa-sha256; cv=none; b=gpO86SWN8lggbBv/GoUzf6i7FVtWGhGeGQsS24tXEPZ+yfLGCShnRNHVPcWhBZedHOW7Hr +HOUKRfVEUPXSFgQyifWTD5Vg4xOJKuRBlYPnC219hNoFZwmwd8LFTqbAXW7p5Oajf7xSL V8tAwtNsOyz55A/+inYRbfveNhXb1QZYTRrKl2IM2f6aK2r9fhfpu1nH76Bl56BtQ5vNe/ gGQB76Pcfj8BOfFMY3iJiFDnqoq+KCy8wx/6A2oKcwrJmcpzZ3KqBrbOIchJ2SAU8y5cq4 c7Ahw4Vph0V2fx7WBO5mV668SomBImZkC4lDkAR1ESDE+6RtbuZ/8LKZBIwRxw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1719478116; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NTc05Tb0XH43F926/oaYaOE2KZ7nu4TCqEq6Kx3THzQ=; b=AGkb5Hn6x0DbBns+E+XBeMcKPidTwOro9uRrylp0vtDmPBZnmrk/ybVWCDeZTIvoRlNt2T GAb3jjVJh50DH+DnVmaXVW2Tz8KiYIXvd/2QYsLIdEdMApf5WugzdL8XpgQywFsl0MUof+ jZ+Bb2nHyuuF91WIt3gpZ9okEGhRHzo53sb2XjjOSg06s0yKZsHpFbV8IwCMRaXqEnlMPn AU7/zIaoqoAhFR3kEPNB3RqasSW3iOI7Y2QbH92zDVGzaKZDZmeylX+lLn+oJvqeur/j48 OhvJTeDdzTwVN78wcBcuTZRyzNYVPkuZ0+t+fDOEquoES+H40vNnJp1Um0ponA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4W8sfr49ttz1Kp6; Thu, 27 Jun 2024 08:48:36 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 45R8maa3093185; Thu, 27 Jun 2024 08:48:36 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 45R8maqD093182; Thu, 27 Jun 2024 08:48:36 GMT (envelope-from git) Date: Thu, 27 Jun 2024 08:48:36 GMT Message-Id: <202406270848.45R8maqD093182@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Baptiste Daroussin Subject: git: 9722023c4875 - stable/14 - MAC/do: allow to call setuid if real user id is 0 List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bapt X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 9722023c4875a326ee9e4e9e0db71d463d990368 Auto-Submitted: auto-generated The branch stable/14 has been updated by bapt: URL: https://cgit.FreeBSD.org/src/commit/?id=9722023c4875a326ee9e4e9e0db71d463d990368 commit 9722023c4875a326ee9e4e9e0db71d463d990368 Author: Baptiste Daroussin AuthorDate: 2024-05-23 10:09:11 +0000 Commit: Baptiste Daroussin CommitDate: 2024-06-27 08:47:06 +0000 MAC/do: allow to call setuid if real user id is 0 This fixed sshd not able to call restore_uid when MAC/do policy is loaded (cherry picked from commit 61b07f8aa52844b21637ac264ea134c1aef48cb7) --- sys/security/mac_do/mac_do.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c index 8685954b7db6..507e64ea0175 100644 --- a/sys/security/mac_do/mac_do.c +++ b/sys/security/mac_do/mac_do.c @@ -489,7 +489,7 @@ check_setuid(struct ucred *cred, uid_t uid) if (do_enabled == 0) return (0); - if (cred->cr_uid == uid || cred->cr_uid == 0) + if (cred->cr_uid == uid || cred->cr_uid == 0 || cred->cr_ruid == 0) return (0); if (vn_fullpath(curproc->p_textvp, &fullpath, &freebuf) != 0)