git: 1aabbb25c9f9 - main - ps(1): Match current user's processes using ps' effective UID

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Olivier Certner <olce_at_FreeBSD.org>
Date: Mon, 28 Apr 2025 12:23:34 UTC
The branch main has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=1aabbb25c9f9c4372fd68621f8cabdc10b665527

commit 1aabbb25c9f9c4372fd68621f8cabdc10b665527
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2025-04-01 09:47:25 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2025-04-28 11:59:15 +0000

    ps(1): Match current user's processes using ps' effective UID
    
    This puts our ps(1) in conformance with POSIX.
    
    While here, replace ad-hoc initialization of 'uidlist' with a call to
    expand_list().
    
    ***
    
    Review of the ps(1) implementations in other BSDs, illumos, and Linux's
    procps shows they already behave as prescribed by POSIX.
    
    Previously, we would match processes with their effective user ID but
    using our real user ID.  While the real user ID is meant as the real
    identity of a process, and is used, e.g., to perform accounting or be
    permitted to send signals to specific targets, selecting processes to
    display is arguably more akin to a kind of (advisory) access control.
    ps(1) is not installed setuid, so normally the real and effective user
    IDs of ps processes are the same.  This may however not be the case when
    ps(1) is launched by another setuid executable, and the launching
    process may then logically expect that ps(1) lists the processes
    corresponding to its effective UID.
    
    MFC after:      3 days
    Relnotes:       yes
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D49619 (code)
    Differential Revision:  https://reviews.freebsd.org/D49620 (manual page)
---
 bin/ps/ps.1 | 26 +-------------------------
 bin/ps/ps.c | 13 +++++++------
 2 files changed, 8 insertions(+), 31 deletions(-)

diff --git a/bin/ps/ps.1 b/bin/ps/ps.1
index 532e920d1cdd..174f18a2f2d9 100644
--- a/bin/ps/ps.1
+++ b/bin/ps/ps.1
@@ -68,7 +68,7 @@ Other output styles can be requested via
 .Fl -libxo .
 .Pp
 By default, only the processes of the calling user, determined by matching their
-effective user ID with the real user ID of the
+effective user ID with that of the
 .Nm
 process, that have controlling terminals are shown.
 A different set of processes can be selected for display by using combinations
@@ -980,14 +980,6 @@ However, other UNIX systems that provide this functionality do so via option
 instead, reserving
 .Fl g
 to query by group leaders.
-.Pp
-.Nm
-currently determines the processes of the current user by matching their
-effective user IDs with its own real user ID, whereas
-.St -p1003.1-2024
-mandates the traditional UNIX practice of using the effective user ID as the
-current user.
-This is expected to be changed soon.
 .Sh HISTORY
 The
 .Nm
@@ -1000,22 +992,6 @@ Since
 cannot run faster than the system and is run as any other scheduled
 process, the information it displays can never be exact.
 .Pp
-.Nm
-currently uses its real user ID as the current user when determining default
-processes to show.
-Besides being inconsistent with POSIX, using the real user ID essentially makes
-sense for programs installed as setuid executables, which
-.Nm
-is not.
-It also complicates the use of
-.Nm
-from other setuid executables, which cannot rely on its default process listing.
-Finally, no other
-.Nm
-implementation (for other BSDs, illumos or Linux) behaves like this.
-For all these reasons, the behavior is expected to be changed soon to using the
-effective user ID instead.
-.Pp
 .Nm ps
 currently does not correctly limit the ouput width, and in most cases does not
 limit it at all when it should.
diff --git a/bin/ps/ps.c b/bin/ps/ps.c
index f40f6160672d..bb79c6c9af84 100644
--- a/bin/ps/ps.c
+++ b/bin/ps/ps.c
@@ -510,13 +510,14 @@ main(int argc, char *argv[])
 		 */
 		nselectors = 0;
 	else if (nselectors == 0) {
-		/* Default is to request our processes only. */
-		uidlist.l.ptr = malloc(sizeof(uid_t));
-		if (uidlist.l.ptr == NULL)
-			xo_errx(1, "malloc failed");
+		/*
+		 * Default is to request our processes only.  As per POSIX, we
+		 * match processes by their effective user IDs and we use our
+		 * effective user ID as our own identity.
+		 */
+		expand_list(&uidlist);
+		uidlist.l.uids[uidlist.count++] = geteuid();
 		nselectors = 1;
-		uidlist.count = uidlist.maxcount = 1;
-		*uidlist.l.uids = getuid();
 	}
 
 	/*