From nobody@FreeBSD.org  Sat Apr  9 03:10:48 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 34EA116A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  9 Apr 2005 03:10:48 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1AFCA43D2F
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  9 Apr 2005 03:10:48 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j393Al2K027210
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 9 Apr 2005 03:10:47 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j393Alfg027152;
	Sat, 9 Apr 2005 03:10:47 GMT
	(envelope-from nobody)
Message-Id: <200504090310.j393Alfg027152@www.freebsd.org>
Date: Sat, 9 Apr 2005 03:10:47 GMT
From: Matthew Poole <matt@p00le.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: mac_seeotheruids not blocking root
X-Send-Pr-Version: www-2.3

>Number:         79705
>Category:       kern
>Synopsis:       mac_seeotheruids not blocking root
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    trhodes
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Apr 09 03:20:30 GMT 2005
>Closed-Date:    Sat Oct 07 10:56:42 GMT 2006
>Last-Modified:  Sat Oct 07 10:56:42 GMT 2006
>Originator:     Matthew Poole
>Release:        5.4-STABLE
>Organization:
>Environment:
FreeBSD ghengis.flat205 5.4-STABLE FreeBSD 5.4-STABLE #1: Sat Apr  9 01:15:59 NZST 2005     root@ghengis.flat205:/usr/obj/usr/src/sys/KERNEL.SECURE  i386
>Description:
Have loaded mac_seeotheruids, and confirmed that security.mac.seeotheruids.specificgid_enabled=0
However, root can still see all user processes.  Documentation indicates that root should not be able to see other users' processes if specificgid_enabled is set to 0.
>How-To-Repeat:
Build kernel with MAC
kldload mac_seeotheruids

Have users other than root logged in.

sysctl security.mac.seeotheruids.specificgid_enabled=0
ps wwaux | grep -v ^root
>Fix:

>Release-Note:
>Audit-Trail:

From: Matthew Poole <matt@p00le.net>
To: matt@p00le.net, bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/79705: mac_seeotheruids not blocking root
Date: Sat, 14 May 2005 23:47:37 +1200

 --=-N50hT1Tf6vaf5hPTZ3cl
 Content-Type: text/plain
 Content-Transfer-Encoding: quoted-printable
 
 Further to this, I got the mac_seeotheruids.c file from 5.3-RELEASE and
 built it on a 5.4-RELEASE box, and it works fine.  The diff for the two
 files (the .bak is the 5.4 file) is below.
 
 diff mac_seeotheruids.c mac_seeotheruids.c.bak
 34c34
 <  * $FreeBSD: src/sys/security/mac_seeotheruids/mac_seeotheruids.c,v
 1.6 2004/02/22 00:33:12 rwatson Exp $
 ---
 >  * $FreeBSD: src/sys/security/mac_seeotheruids/mac_seeotheruids.c,v
 1.6.2.1 2005/01/22 19:18:15 rwatson Exp $
 117a118,120
 >               return (0);
 >
 >       if (suser_cred(u1, 0) =3D=3D 0)
 
 I'm not sure how those two lines interact with things, but they appear
 to be the cause of the problem.
 
 --=20
 Matthew Poole
 
 --=-N50hT1Tf6vaf5hPTZ3cl
 Content-Type: application/pgp-signature; name=signature.asc
 Content-Description: This is a digitally signed message part
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.1 (FreeBSD)
 
 iD8DBQBCheVZTdEtTmUCdpwRAtqmAJ9FqPyILxX0m+Ejefqe34pf4wlElwCfcwIx
 OZPfMBDeyyMmqTqqpkYtukQ=
 =s2C0
 -----END PGP SIGNATURE-----
 
 --=-N50hT1Tf6vaf5hPTZ3cl--
 

From: Tom Rhodes <trhodes@FreeBSD.org>
To: bug-followup@FreeBSD.org, matt@poole.net
Cc:  
Subject: Re: kern/79705: mac_seeotherusids not blocking root
Date: Sun, 26 Mar 2006 20:35:12 -0500

 Hi Matthew,
 
 The mac_seeotheruids(4) module changed as it was too difficult
 for the root user to properly maintain a multi-user environment
 as was.  There was also a report about breaking ident.  Could you
 try the following patch and toggle the suser_privileged sysctl?
 It should fix your problem.  Thanks,
 
 -- 
 Tom Rhodes
 
 
 ===================================================================
 RCS file: /usr/local/www/cvsroot/FreeBSD/src/sys/security/mac_seeotheruids/mac_seeotheruids.c,v
 retrieving revision 1.7
 retrieving revision 1.8
 diff -u -p -r1.7 -r1.8
 --- src/sys/security/mac_seeotheruids/mac_seeotheruids.c	2005/01/03 12:08:18	1.7
 +++ src/sys/security/mac_seeotheruids/mac_seeotheruids.c	2005/09/30 23:41:10	1.8
 @@ -84,6 +84,14 @@ SYSCTL_INT(_security_mac_seeotheruids, O
      "with the same real primary group id");
  
  /*
 + * Exception: allow the root user to be aware of other credentials by virtue
 + * of privilege.
 + */
 +static int	suser_privileged = 1;
 +SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, suser_privileged,
 +    CTLFLAG_RW, &suser_privileged, 0, "Make an exception for superuser");
 +
 +/*
   * Exception: allow processes with a specific gid to be exempt from the
   * policy.  One sysctl enables this functionality; the other sets the
   * exempt gid.
 @@ -117,8 +125,10 @@ mac_seeotheruids_check(struct ucred *u1,
  	if (u1->cr_ruid == u2->cr_ruid)
  		return (0);
  
 -	if (suser_cred(u1, 0) == 0)
 -		return (0);
 +	if (suser_privileged) {
 +		if (suser_cred(u1, 0) == 0)
 +			return (0);
 +	}
  
  	return (ESRCH);
  }
State-Changed-From-To: open->feedback 
State-Changed-By: trhodes 
State-Changed-When: Mon Mar 27 04:54:59 UTC 2006 
State-Changed-Why:  
Patch offered to user. 


Responsible-Changed-From-To: freebsd-bugs->trhodes 
Responsible-Changed-By: trhodes 
Responsible-Changed-When: Mon Mar 27 04:54:59 UTC 2006 
Responsible-Changed-Why:  
Take 

http://www.freebsd.org/cgi/query-pr.cgi?pr=79705 
State-Changed-From-To: feedback->closed 
State-Changed-By: trhodes 
State-Changed-When: Sat Oct 7 10:55:41 UTC 2006 
State-Changed-Why:  
Feedback timeout. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=79705 
>Unformatted:
