kern/79705: mac_seeotherusids not blocking root

Mon Mar 27 01:40:11 UTC 2006

The following reply was made to PR kern/79705; it has been noted by GNATS.

From: Tom Rhodes <trhodes at FreeBSD.org>
To: bug-followup at FreeBSD.org, matt at poole.net
Cc:  
Subject: Re: kern/79705: mac_seeotherusids not blocking root
Date: Sun, 26 Mar 2006 20:35:12 -0500

 Hi Matthew,

 The mac_seeotheruids(4) module changed as it was too difficult
 for the root user to properly maintain a multi-user environment
 as was.  There was also a report about breaking ident.  Could you
 try the following patch and toggle the suser_privileged sysctl?
 It should fix your problem.  Thanks,

 -- 
 Tom Rhodes

 ===================================================================
 RCS file: /usr/local/www/cvsroot/FreeBSD/src/sys/security/mac_seeotheruids/mac_seeotheruids.c,v
 retrieving revision 1.7
 retrieving revision 1.8
 diff -u -p -r1.7 -r1.8
 --- src/sys/security/mac_seeotheruids/mac_seeotheruids.c	2005/01/03 12:08:18	1.7
 +++ src/sys/security/mac_seeotheruids/mac_seeotheruids.c	2005/09/30 23:41:10	1.8
 @@ -84,6 +84,14 @@ SYSCTL_INT(_security_mac_seeotheruids, O
      "with the same real primary group id");

  /*
 + * Exception: allow the root user to be aware of other credentials by virtue
 + * of privilege.
 + */
 +static int	suser_privileged = 1;
 +SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, suser_privileged,
 +    CTLFLAG_RW, &suser_privileged, 0, "Make an exception for superuser");
 +
 +/*
   * Exception: allow processes with a specific gid to be exempt from the
   * policy.  One sysctl enables this functionality; the other sets the
   * exempt gid.
 @@ -117,8 +125,10 @@ mac_seeotheruids_check(struct ucred *u1,
  	if (u1->cr_ruid == u2->cr_ruid)
  		return (0);

 -	if (suser_cred(u1, 0) == 0)
 -		return (0);
 +	if (suser_privileged) {
 +		if (suser_cred(u1, 0) == 0)
 +			return (0);
 +	}

  	return (ESRCH);
  }