mac_do(4): Enhance GID rule validation to check all groups in cr_groupsPreviously, the rule validation only checked the primary GID (cr_gid).This caused issues when applying GID-based rules, as us
mac_do(4): Enhance GID rule validation to check all groups in cr_groupsPreviously, the rule validation only checked the primary GID (cr_gid).This caused issues when applying GID-based rules, as users with matchingsecondary groups were not considered valid. This patch modifies bothfunctions to iterate through all groups in cr_groups to ensure all groupmemberships are considered when validating GID-based rules.For example, a user's primary group is staff (20) and they are also inthe wheel (0) group, this change allows the rule gid=0:any to enablethem to run commands as any user.Reviewed by: delphij (earlier version), baptDifferential Revision: https://reviews.freebsd.org/D47304
show more ...
MAC/do: allow to call setuid if real user id is 0This fixed sshd not able to call restore_uid when MAC/do policy isloaded
mac_do: add a new MAC/do policy and mdo(1) utilityThis policy enables a user to become another user without having to beroot (hence no setuid binary). it is configured via rules using sysctlsecur
mac_do: add a new MAC/do policy and mdo(1) utilityThis policy enables a user to become another user without having to beroot (hence no setuid binary). it is configured via rules using sysctlsecurity.mac.do.rulesFor example:security.mac.do.rules=uid=1001:80,gid=0:anyThe above rule means the user identifier by the uid 1001 is able tobecome user 80Any user of the group 0 are allowed to become any user on the system.The mdo(1) utility expects the MAC/do policy to be installed and itsrules defined.Reviewed by: desDifferential Revision: https://reviews.freebsd.org/D45145